The sql prefix unlocks the StringContext , where you can set SQL parameters. There is no SQL parameter for the list, so you can easily insert it into SQL injection if you are not careful. There are some good (and some dangerous) suggestions for resolving this issue with SQLServer on this question . You have several options:
It is best to use the #$ operator along with mkString to interpolate dynamic SQL:
val sql = sql"""SELECT * FROM coffee WHERE id IN (#${ids.mkString(",")})"""
This uses parameters incorrectly and therefore may be open to SQL injection and other problems.
Another option is to use standard string interpolation and mkString to build the statement:
val query = s"""SELECT * FROM coffee WHERE id IN (${ids.mkString(",")})""" StaticQuery.queryNA[Coffee](query)
This is essentially the same approach as using #$ , but can be more flexible in the general case.
If the SQL injection vulnerability is the main problem (for example, if the ids elements are provided by the user), you can build a query with a parameter for each ids element. Then you need to provide a custom instance of SetParameter so that slick can include the List in the parameters:
implicit val setStringListParameter = new SetParameter[List[String]]{ def apply(v1: List[String], v2: PositionedParameters): Unit = { v1.foreach(v2.setString) } } val idsInClause = List.fill(ids.length)("?").mkString("(", ",", ")") val query = s"""SELECT * FROM coffee WHERE id IN ($idsInClause)""" Q.query[List[String], String](query).apply(ids).list(s)
Since your ids is Ints , this is probably less of a concern, but if you prefer this method, you just need to change setStringListParameter to use Int instead of String :