Comment Re:Use a persistence library (Score 3, Informative) 267
sql = "SELECT item FROM table WHERE keyword IN ("
FirstValue = True
ParamNo = 1
For each Value in MyValueList
If Not FirstValue Then
sql &= ","
Else
FirstValue = False
End If
sql &= "@Param_" & i
cmd.Parameters.AddWithValue("@Param_" & i,Value)
ParamNo += 1
Next
sql &= ")"
Since there is no user input used in generating the query, you can never have an SQL inection attack, and still use dynamic queries. There are ways to do dynamic queries, without opening yourself up to attacks.