I always used a query with an(one) integer parameter, but now it has to change to more integers in the parameter. [u]Before:[/u]DECLARE @Param INT SET @Param = 1SELECT * FROM Trips WHERE TripID = @Param[u]Future (a csv of Integers):[/u]DECLARE @Param VARCHAR(MAX) SET @Param = ‘1, 2, 3’ -- 1 or more integers[i]This of course does’nt work:[/i]SELECT * FROM Trips WHERE TripID IN (@Param).[u]I could use:[/u]DECLARE @sql NVARCHAR(MAX)SET @sql= 'SELECT * FROM Trips WHERE TripID IN ('+@Param+')'EXEC sp_executesql @sqlBut, as the param comes from internet, it is vulnerable for SQL injection attacks, I think.[u]I would like to use a solution like:[/u]DECLARE @Param VARCHAR(MAX) SET @Param = '1, 2, 3'DECLARE @Tbl TABLE(ID INT)[i]--need a trick to get the numbers in the Param[/i]SELECT * FROM Trips R INNER JOIN @Tbl T ON R.TripID = T.IDThere is a way using XML (I have Sql2014), but I couldn’t figure out how to do it.Or perhaps there is another way to solve this problem.Any help?
↧