Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SQL In Clause with Zero to Many Parameters

Tags:

sql

mysql

I have a SQL query which is parameterized by a very limited in-house framework. The query looks like this:

Select * from somewhere
where name IN (:parameter);

The code will inject zero to many strings into the location specified by :parameter. The ":parameter" flag can only be used within the "IN" clause (so it can't be moved after the where clause to conditionally insert the 'name IN') section.

Sometimes the user will set parameter to:

'dog', 'cat'

Other times, the user will not put any values into the :parameter variable. This causes a problem since the resulting SQL query will be:

Select * from somewhere
where name IN ();

My code can catch the case where parameter is empty, but I need something which I can inject into the IN statement which is guaranteed to NEVER match an actual string.

Is there any SQL regular expression which I could inject which would NEVER match any string? Something like %.% or something....

Thanks!

like image 933
David Avatar asked Sep 14 '10 14:09

David


People also ask

How many values can be passed in in clause in SQL?

Answer: Oracle allows up to 1,000 IN list values in a SQL statement.

Can WHERE clause have multiple values?

The IN operator allows you to specify multiple values in a WHERE clause. The IN operator is a shorthand for multiple OR conditions.

How many values can be passed in in clause in MySQL?

The number of values in the IN Caluse can vary anywhere from 0 to thousands.


2 Answers

You can say:

where name in (null)

This will never match, since nothing is equal to null (not even null itself.)

like image 156
Andomar Avatar answered Sep 21 '22 10:09

Andomar


null should not match with anything.

like image 41
gpeche Avatar answered Sep 25 '22 10:09

gpeche