开发者

SQL In Clause with Zero to Many Parameters

开发者 https://www.devze.com 2023-01-16 06:45 出处:网络
I have a SQL query which is parameterized by a very limited in-house framework. The query looks like this:

I have a SQL query which is parameterized by a very limited in-house framework. The query looks like this:

Select * from somewhere
where name IN (:parameter);

The code will inject zero to many strings into the location specified by :parameter. The ":parameter" flag can only be used within the "IN" clause (so it can't be moved after the where clause to conditionally insert the 'name IN') section.

Sometimes the user will set parameter to:

'dog', 'cat'

Other times, the user will not put any values into the :parameter variable. This causes a problem since the resulting SQL query will be:

Select * from somewhere
where name IN ();

My code can catch the case where parameter is empty, but I need something which I can inject into the IN statement which is guaranteed to NEVER match an actual 开发者_StackOverflow中文版string.

Is there any SQL regular expression which I could inject which would NEVER match any string? Something like %.% or something....

Thanks!


You can say:

where name in (null)

This will never match, since nothing is equal to null (not even null itself.)


null should not match with anything.


I don't think you can guarantee that you will never match a existing string. The best thing that you could do is handle the case in which the statement doesn't work on the database; however, without knowing how the script is being executed I can't figure out much more from there.


Name cannot be null, so you can do empty string?

0

精彩评论

暂无评论...
验证码 换一张
取 消