Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 In ( ) with stored procedure

Author  Topic 

albertkohl
Aged Yak Warrior

740 Posts
Posted - 2007-04-14 : 20:12:50
Okay, so i found a script for a sql procedure that will take paramaters and run an sql command, my only problem is that for some of the parameters, i need to pass multipul values.

Procedure in question:
CREATE PROCEDURE geotest
                 @zipselect nvarchar(4000) as 

DECLARE @sql        nvarchar(4000),
        @paramlist  nvarchar(4000)

SELECT @sql =                                               
	'SELECT o.state_abbrv, count(o.state_abbrv) as kount  FROM   dbo.results o WHERE  1 = 1'                                        
                                                            
IF @zipselect<>'DF'
   SELECT @sql = @sql + ' AND o.zip in ('+'@xzipselect'+')'

SELECT @sql = @sql + ' group by o.state_abbrv ORDER BY o.state_abbrv'

SELECT @paramlist = '@xzipselect nvarchar(4000)'

EXEC sp_executesql @sql, @paramlist, @zipselect
GO


'DF' stands for my default value i dont want the procedure to add this to the select if the value is set to default because it will return everything, and at that point why add a filter right?

i'm trying to execute the code with: 


EXEC geotest @zipselect='85302'


this give me what i was looking for if i try this:


EXEC geotest @zipselect='85302,85029'



i get NOTHING. what can i do? PLEASE HELP. this is the last issue i have to work though to complete my program.

blindman
Master Smack Fu Yak Hacker

2365 Posts
Posted - 2007-04-14 : 23:03:28
You want someone to help you shoot yourself in the foot. Running dynamic SQL with a 4000 character parameter is practically begging for someone to use SQL injection to take over your server.

The proper way to handle this is to parse your parameter string into separate records of a temporary table, and then join this table in your select statement.

e4 d5 xd5 Nf6
Go to Top of Page

albertkohl
Aged Yak Warrior

740 Posts
Posted - 2007-04-14 : 23:12:09
:o) opps well thanks for that heads up. that could suck.

i was wanting to do temp tables, but i'm not sure how to set up tables to be kind like Session tables. know what i mean? how do i tell VB what the table to use is? would i have to pass some kind of connection ID so that other users data wont interfere with counts?

i'm a TOTAL n00b, any insight would be GREAT!
Go to Top of Page

jezemine
Master Smack Fu Yak Hacker

2886 Posts
Posted - 2007-04-15 : 00:07:12
here's how you can handle arrays in sql server:

http://www.sommarskog.se/arrays-in-sql.html

www.elsasoft.org
Go to Top of Page

madhivanan
Premature Yak Congratulator

22864 Posts
Posted - 2007-04-15 : 23:52:36
or
http://vyaskn.tripod.com/passing_arrays_to_stored_procedures.htm

Madhivanan

Failing to plan is Planning to fail
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site