Datacontext ExecuteCommand Parameters in IN Statement

Question

What is the best way to run a custom expression sqlusing INfrom C # LinQ to sql datacontext? I tried:

db.ExecuteCommand(
   "UPDATE tblCard SET used = 1 WHERE id IN ({0}) AND customer_id = {1}",
   Request.Form["ids"], customer_id
);

This is normal for 1 element that passed through the form, but if I get a message through, for example, "2.1", then I get an exception sqlclient:

Conversion error when converting nvarchar '2.1' value to int data type.

If instead I use string.format to insert a parameter, it works fine, but obviously it is open to SQL injection.

+5

Matthew hood Apr 23 '09 at 13:58

1 answer

Marc Gravell · Accepted Answer · 2009-04-23T14:10:01+0000

LINQ-to-SQL ; TSQL- :

WHERE id IN (@p0)

@p0 '123,456,789'.

LINQ Contains. ExecuteQuery ; , , CSV " " UDF :

UPDATE c SET c.used = 1
FROM dbo.SplitCsv({0}) udf
INNER JOIN tblCard c
        ON c.Id = udf.Value
       AND c.Customer_ID = {1}

dbo.SplitCsv "" udf, .