-1

I want to select all from the table 'products' where city IN (Varberg,Falkenberg) and if I use the below it works, but if I have the cities in a variable I can´t get it to work? I'm using a mySql database.

sql = "SELECT * FROM products where city in ('Varberg','Falkenberg')" 
set rs = conn.Execute (sql)

So if I use this, it is not working.

cities=request.querystring(cities)

so that the variable becomes like this

cities="Varberg,Falkenberg"

sql = "SELECT * FROM products WHERE city IN ('"& cities &"')" 
set rs = conn.Execute (sql)
Dijkgraaf
  • 11,049
  • 17
  • 42
  • 54
Claes Gustavsson
  • 5,509
  • 11
  • 50
  • 86

2 Answers2

1

The query you generate misses two quotes. The generate query is 

SELECT * FROM products where city in ('Varberg,Falkenberg')

and not

SELECT * FROM products where city in ('Varberg','Falkenberg')

BTW: Never use parameters provided by the user without validation and proper sanitization.

gregor
  • 4,733
  • 3
  • 28
  • 43
0

The SQL statement created with your variable will be

SELECT * FROM products WHERE city IN ('Varberg,Falkenberg')

which is different than the one you're looking for:

SELECT * FROM products where city in ('Varberg','Falkenberg')

You need to adjust your code logic to generate the correct list for your variable. Your variable holds a single value list because of the missing single quotes. You need to add the quotes so the variable holds a multi-value list.

PS - your code is also wide open to SQL injection. You should be using a parameterized query.

squillman
  • 13,363
  • 3
  • 41
  • 60