if you are forming the dynamic query in the vb code, ensure that you have taken measures to prevent
SQL Injection[
^]
refer the below links if you are really care about your application to prevet attacks
sql server - Parameterize an SQL IN clause - Stack Overflow[
^]
How to pass sqlparameter to IN()? - Stack Overflow[
^]
Dim Filter As String = " Select * from TableName "
Dim inQuery As String = ""
Dim csvRefNo As String = txtReferenceNo.Text.Trim.TrimEnd(",").TrimStart(",")
If Not String.IsNullOrWhiteSpace(csvRefNo) Then
Dim refNos() As String = csvRefNo.Split(New String() {","}, StringSplitOptions.RemoveEmptyEntries)
For Each refNo As String In refNos
inQuery = (inQuery + String.Format("'{0}',", refNo.Replace("'", "")))
Next
inQuery = inQuery.Trim.TrimEnd(",")
inQuery = " where ReferenceNo IN ( " + inQuery + " )"
End If
Filter = (Filter + inQuery)