Login/Register
Mysql where id is in array [duplicate]
Asked Answered
Solved phpmysqlarraysexplode
S

3

45

I have a string of ids like 1,2,3,4,5 and I want to be able to list all rows in mysql where the ID is contained in that list.

I assumed the easiest way would be to turn the string into an array and then match in ($array) but it doesn't work for me - no errors etc but it returns no rows:

$string="1,2,3,4,5";
$array=array_map('intval', explode(',', $string));
$query=mysqli_query($conn, "SELECT name FROM users WHERE id IN ('".$array."')");

If I do a var_dump of $array I get:

array(5) { 
    [0]=> int(1) 
    [1]=> int(2) 
    [2]=> int(3) 
    [3]=> int(4) 
    [4]=> int(5) 
}

Any idea where I am screwing up?

Sacks answered 25/11, 2013 at 20:52 Comment(1)
Are the Ids strings or Integers?Incarcerate
A
99
$string="1,2,3,4,5";
$array=array_map('intval', explode(',', $string));
$array = implode("','",$array);
$query=mysqli_query($conn, "SELECT name FROM users WHERE id IN ('".$array."')");

NB: the syntax is:

SELECT * FROM table WHERE column IN('value1','value2','value3')

Assimilable answered 25/11, 2013 at 20:57 Comment(6)
@Sacks it might have worked great, but it is subject to vulnerabilities...Owen
How so? I showed a VERY simplified and stripped down view of the code (including the actual query itself) to avoid putting too much unnecessary code but I am happy that the array content is sanitised and safeSacks
@Sacks You are not parameterizing anything. Especially if the string is coming from the client there could be issues.Owen
@Owen parameterizing is a solid way to protect against sql injection but that doesn't mean all other ways are wrong. If I expect a value of "10" and I do $string==10 this is not any weaker than parameterizing..Assimilable
how would you parameterize this statement?Plea
@Owen That array went through intval(), there is no room for SQL injection. I use intval a lot myself when I only work with numbers.Hemangioma
O
10

Your query translates to:

SELECT name FROM users WHERE id IN ('Array');

Or something to that affect.

Try using prepared queries instead, something like:

$numbers = explode(',', $string);
$prepare = array_map(function(){ return '?'; }, $numbers);
$statement = mysqli_prepare($link , "SELECT name FROM users WHERE id IN ('".implode(',', $prepare)."')");
if($statement) {
   $ints = array_map(function(){ return 'i'; }, $numbers);
   call_user_func_array("mysqli_stmt_bind_param", array_merge(
      array($statement, implode('', $ints)), $numbers
   ));
   $results = mysqli_stmt_execute($statement);
   // do something with results 
   // ...
}
Owen answered 25/11, 2013 at 20:54 Comment(0)
L
4

Change

$array=array_map('intval', explode(',', $string));

To:

$array= implode(',', array_map('intval', explode(',', $string)));

array_map returns an array, not a string. You need to convert the array to a comma separated string in order to use in the WHERE clause.

Lenity answered 25/11, 2013 at 20:58 Comment(5)
Then that just turns it back into the original string... What is the point?Owen
I believe that's what he requested.Lenity
This looks like the same end result as my chosen answer but in one line rather than two so not sure why the downvote? FYI @Lenity I did not downvote thisSacks
@Sacks this answer is the same as doing: $query=mysqli_query($conn, "SELECT name FROM users WHERE id IN ('".$string."')"); It does not change the original string at all.Owen
@Owen Well the OP wanted to run the intval() function on each value in the array, then spit back a comma-separated string. I accomplished what was asked by the OP, nothing more, whether or not array_map() was required.Lenity

© 2022 - 2024 — McMap. All rights reserved.