Creating SQL query in VB.net from a Checkboxlist

Question

I have a checkboxlist and I populate it dynamically from a database. For example after i populate the checkboxlist is like that:

• Los Angeles
• New York
• London
• Berlin
• Amsterdam

I want to create a SQL query according to the checkboxes are checked. If i want to choose only one city (e.g. only New York) i want the result to be:

(City = 2)

Thats works properly but when i have multiple cities (e.g. New York, London and Amsterdam) i want the result to be for example:

(City = 2) OR (City = 3) OR (City = 5)

Or if i choose Los Angeles and Berlin I want the result to be like this:

(City = 1) OR (City = 4)

How can i achieve this? That's my code below but I am stacked. Any ideas?

Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim var As String = ""
    Dim counter As Integer = 0
    Dim myList As New List(Of String)()
    For i As Integer = 0 To CheckBoxList1.Items.Count - 1
        If CheckBoxList1.Items(i).Selected Then
            myList.Add(i + 1)
            counter = counter + 1
            If counter = 1 Then
                var = "(City =" & i + 1 & ")"
            Else
                Console.WriteLine(myList(1))
                Dim myArray As String() = myList.ToArray()
                For j As Integer = 1 To myArray.Length
                    Dim var2 As String = " OR (City =" & counter & ")"
                    var = "(City =" & myArray(0) & ")" & var2
                Next
            End If
        End If
    Next
    SQL = "SELECT * FROM Data1 WHERE (" & var & ") ORDER BY [ID]"
    Session("Search") = SQL
    Server.Transfer("Data_Form.aspx")
End Sub

Answer 1

You can use City IN(2,3,5) instead of (City = 2) OR (City = 3) OR (City = 5):

Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim condition As String = ""
    For i As Integer = 0 To CheckBoxList1.Items.Count - 1
        If CheckBoxList1.Items(i).Selected Then
            condition = condition & "," & (i + 1)
        End If
    Next
    SQL = "SELECT * FROM Data1 WHERE (" & condition.SubString(1) & ") ORDER BY [ID]"
    Session("Search") = SQL
    Server.Transfer("Data_Form.aspx")
End Sub

Answer 2

What I recommend most strongly is to look into Table-value Parameters:

http://msdn.microsoft.com/en-us/library/bb675163(v=vs.110).aspx

This will fix your issue and help you avoid sql injection vulnerabilities.

But if you really insist on using string concatenation, try using an IN() condition, where you end up with something more like CITY IN (1,2) instead of (City = 1 OR City = 2). You can make this a bit easier to write by leading with an unused ID, like so:

Dim cityClause As String = " CITY IN (-1{0})" 'start with a valid clause
Dim cityIDs As String = ""
For Each box As ListItem In CheckBoxList1.Items.Where(Function(b) b.Selected)
     'Try storing the ID for each city in the value part of each listitem,
     ' rather than using the index order 
     cityIDs = cityIDs & "," & box.Value
Next box
cityClause = string.Format(cityClause, cityIDs)