Re: Array data type in mysql
Don't just pass string into stored procedures and then just enter them as concatenation to a query... for the sake of security.
I wrote this procedure that returns a list of integers from a string using a temp table as a liason. You will avoid a lot of sql injection this way :-)
DELIMITER $$
DROP PROCEDURE IF EXISTS `YourDB`.`sp_parseIntList` $$
CREATE DEFINER=`hotstuff`@`%` PROCEDURE `sp_parseIntList`(
_intlist TEXT )
BEGIN
DECLARE comma INT DEFAULT 0;
DECLARE mylist TEXT DEFAULT _intlist;
DECLARE temp TEXT DEFAULT '';
DECLARE strlen int DEFAULT LENGTH(_intlist);
CREATE TEMPORARY TABLE TempTable (num int) TYPE=INNODB;
SET comma = LOCATE(',',mylist);
WHILE strlen > 0 DO
IF
comma = 0
THEN
SET temp = TRIM(mylist);
SET mylist = '';
SET strlen = 0;
ELSE
SET temp = TRIM(SUBSTRING(mylist,1,comma));
SET mylist = TRIM(SUBSTRING(mylist FROM comma+1));
SET strlen = LENGTH(mylist);
END IF;
IF CAST(temp as UNSIGNED) != 0
THEN
INSERT INTO TempTable VALUES(CAST(temp as UNSIGNED));
END IF;
SET comma = LOCATE(',',mylist);
END WHILE;
SELECT * FROM TempTable;
DROP TEMPORARY TABLE IF EXISTS TempTable;
END $$
DELIMITER ;
Subject
Views
Written By
Posted
150711
October 21, 2005 04:13AM
64736
October 21, 2005 08:03AM
44634
August 30, 2006 04:07AM
37444
August 30, 2006 08:29AM
28316
July 30, 2007 01:53PM
21193
July 30, 2007 02:03PM
17643
August 15, 2007 12:48AM
15854
August 15, 2007 04:05PM
14577
August 17, 2007 07:01PM
12467
August 18, 2007 10:40AM
11390
September 05, 2007 12:21AM
10843
September 05, 2007 08:26AM
Re: Array data type in mysql
20891
November 21, 2007 04:56PM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.