如何在参数化SQL查询中将字符串数组或字符串向量传递给IN子句？

Question

I have this code in my executeQueries.ec file

sprintf(sqlQuery,
"select distinct e.emp_id, e.join_date \
from employees e
where e.emp_id in (?) and e.dob <= '%s')");

$prepare empDataStmt from $sqlQuery;
if (sqlca.sqlcode)
{
    fprintf(stderr, "Error %d in prepare empDataStmt%s\n",
    sqlca.sqlcode, sqlQuery);
    return 0;
}
$declare empDataCursor cursor for incptDatesStmt;

if (pcs_sql_check("Error in declaring empDataCursor Stmt"))
{
    return 1;
}

$open empDataCursor using $empIds_,dob_ ;

When I dbx the code and print empIds_ , I get this on console:

""04-Emp1","W2-Emp2""

Which means content of empIds_ is "04-Emp1","W2-Emp2" (quotes included). The question is that the number of empIds can be anything from 1 to 100 or 500. For example it can even be:

"04-Emp1","W2-Emp2","04-Emp4","W2-Emp3","0A-Emp1","E2-Emp7"

Because of this I can not get my code to work. Can anybody help me to write this code with using "?" for parametrized query that can handle any number of empIds . Please note that the content of empIds_ will always have double-quotes embedded in them. I do not know whether this is a good thing or bad but I cannot do anything to prevent it.

Answer 1

A Minor Diversion

You have some syntactic problems in what you show us:

sprintf(sqlQuery,
"select distinct e.emp_id, e.join_date \
from employees e
where e.emp_id in (?) and e.dob <= '%s')");

That won't compile; you'd need a second backslash after employees e . I strong recommend avoiding backslash-newline in strings; use string concatenation instead.

sprintf(sqlQuery, "select distinct e.emp_id, e.join_date from employees e "
                  "where e.emp_id in (?) and e.dob <= '%s')");

Note that there is just white space (comments would count as white space too) between the two parts of the string; the C compiler concatenates such strings into a single string.

Now the sprintf() call is syntactically correct at the C source level; it is still semantically incorrect because it contains %s and you've not provided a string for it to copy. You should presumably be using a placeholder ? for the date since you pass it to the $open statement as a second parameter (but there isn't actually a placeholder for it).

You would then be able to avoid an explicit prepare operation by writing:

$ DECLARE empDataCursor FOR
    SELECT DISTINCT e.emp_id, e.join_date
      FROM employees e 
     WHERE e.emp_id IN ($empIds_) AND e.dob <= $dob_;

---

The Crux

However, this isn't going to work for you, unfortunately. The crux of your problem is you are trying to pass a string as a list of values for the IN clause. It simply doesn't work like that. If you have one value, you need one placeholder ( ? ); if you have two values, you need two placeholders, etc.

So, we end up going back to a full prepared statement and substitute the empIds into the string:

 int reqlen;

 reqlen = snprintf(sqlQuery, sizeof(sqlQuery), "SELECT DISTINCT e.emp_id, e.join_date"
                       " FROM employees e WHERE  e.emp_id IN (%s) AND e.dob <= '%s'",
                       empIds_, dob_);

 if (reqlen >= sizeof(sqlQuery))
     ...truncated SQL...larger sqlQuery needed...

 $ PREPARE empDataStmt FROM $sqlQuery;
 ...SQL error check...
 $ DECLARE empDataCursor FOR empDataStmt;
 ...SQL error check...

 $ OPEN empDataCursor;   /* No USING clause! */
 ...SQL error check...

 ...code as before...