C# Parameterized Query MySQL with `in` clause

Question

I am in the process of converting several queries which were hard-coded into the application and built on the fly to parameterized queries. I'm having trouble with one particular query, which has an in clause:

UPDATE TABLE_1 SET STATUS = 4 WHERE ID IN (1, 14, 145, 43);

The first parameter is easy, as it's just a normal parameter:

MySqlCommand m = new MySqlCommand("UPDATE TABLE_1 SET STATUS = ? WHERE ID IN (?);");
m.Parameters.Add(new MySqlParameter("", 2));

However, the second parameter is a list of integers representing the ids of the rows that need updating. How do I pass in a list of integers for a single parameter? Alternatively, how would you go about setting up this query so that you don't have to completely build it each and every time you call it, and can prevent SQL injection attacks?

Answer 1

I recently found out how slow find_in_set is, so I try to avoid it. I also try to avoid constructing my sql to help prevent injection attacks. I've found you can achieve what's required and use a parameterised query at the same time.

int[] ids = new int[] { 1, 2, 3};

command.CommandText = @"
  SET @temp = @ids;
  SELECT * FROM table_name WHERE table_name_id IN @temp;
";

command.Parameters.AddWithValue("ids", string.Join(",", ids));

Old question, but it confirmed my suspicion and I came up with this workaround.

Answer 2

Since MySQL 4.0 you can use FIND_IN_SET function to create parametrized SQL with 'in clause'.

Your code:

UPDATE TABLE_1 SET STATUS = 4 WHERE ID IN (1, 14, 145, 43);

Changed to use FIND_IN_SET:

UPDATE TABLE_1 SET STATUS = 4 WHERE FIND_IN_SET(ID, 1, 14, 145, 43);

Finally you can use variables to parametrize your query:

var s = "UPDATE TABLE_1 SET STATUS = 4 WHERE FIND_IN_SET(ID, ?)";
var params = "1, 14, 145, 43";

dataSource.Execute(s, params);

See the W3Schools reference and the MySQL Tutorial

Since FIND_IN_SET is a MySQL function it works with every language not just C#.

Answer 3

Old question, but in case anyone comes across this via Google, here's what I use:

int status = 4;  
string ids = "1,14,145,43";      

m.Parameters.AddWithValue("@Status", status);
m.Parameters.AddWithValue("@IDs", ids);

UPDATE TABLE_1 SET STATUS = @Status WHERE FIND_IN_SET(ID, @IDs) > 0;

Note: FIND_IN_SET is a mySQL specific function.

Credit, where credit is due: See this question: Add List<int> to a mysql parameter

Answer 4

Loop round your list of integers and perform individual updates.

MSSQL 2008 offers table-valued parameters to avoid this issue, I'm not aware of any similar functionality in MySQL.

Answer 5

You could build up the parametrised query "on the fly" based on the (presumably) variable number of parameters, and iterate over that to pass them in.

So, something like:

List foo; // assuming you have a List of items, in reality, it may be a List<int> or a List<myObject> with an id property, etc.

StringBuilder query = new StringBuilder( "UPDATE TABLE_1 SET STATUS = ? WHERE ID IN ( ?")
for( int i = 1; i++; i < foo.Count )
{   // Bit naive 
    query.Append( ", ?" );
}

query.Append( " );" );

MySqlCommand m = new MySqlCommand(query.ToString());
for( int i = 1; i++; i < foo.Count )
{
    m.Parameters.Add(new MySqlParameter(...));
}

Answer 6

This is not possible in MySQL. You can create a required number of parameters and do UPDATE ... IN (?,?,?,?). This prevents injection attacks (but still requires you to rebuild the query for each parameter count).

Other way is to pass a comma-separated string and parse it.

Answer 7

i'd suggest creating a function (assuming that mysql supports user defined functions) to break the parameter apart to return a table.

Answer 8

You cannot use parameters for an IN clause.