Use multiselector in table as constrain in a sql where clause

Hi,

I'm encountering an issue when trying to use the values from a multiselector component in a subsequent SQL query within my Retool application.

My goal is to use the selected values from the multiselector to dynamically generate an IN clause within the WHERE condition of my SQL query.

Specifically, I have a query that outputs a table of data. I then want to use the values selected in a multiselector to filter table (new_table) based on the new_id column.

My current attempt looks like this:

SELECT * FROM new_table WHERE new_id IN ({{ multiselector.value }});

However, this approach results in an error. I suspect the issue lies in how the multiselector.value is being interpolated into the SQL query. The multiselector.value returns an array (e.g., ["1", "2", "3"]), and directly embedding this array into the SQL IN clause doesn't seem to be working correctly.

I understand that directly injecting arrays into SQL queries can lead to SQL injection vulnerabilities. Therefore, I'm looking for a secure and correct way to achieve this filtering.

I've considered the following potential issue:

  • Incorrect formatting for the IN clause: The SQL IN clause requires comma-separated values within parentheses (e.g., IN (1, 2, 3)), not an array literal.

Could someone provide guidance on the correct way to construct this query in Retool, ensuring proper data type handling and preventing SQL injection vulnerabilities? Ideally, I'm looking for a solution that correctly formats the IN clause based on the multiselector's selected values.

Example of desired outcome:

If multiselector.value is ["1", "5", "10"], the resulting SQL query should be:

SELECT * FROM new_table WHERE new_id IN (1, 5, 10);

Any help would be greatly appreciated.

Thanks.

Hey there @ohmyboroda,

Can you try

SELECT * FROM new_table WHERE new_id = any ({{ multiselector.value }});

1 Like

Hi!

Thanks for the suggestion. Yes, I tried ANY as well and I get error.

1 Like

Got it
Updated the data being provided.

2 Likes