Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Using php array with IN

0 views
Skip to first unread message

Chris

unread,
Nov 11, 2009, 2:49:52 PM11/11/09
to
Using IN can I use an actual php array?

This doesn't work but should give an idea of what I am trying to do.

SELECT id FROM table WHERE var IN ($arr)

Thanks,

Chris

Erick T. Barkhuis

unread,
Nov 11, 2009, 2:54:26 PM11/11/09
to
Chris:

>Using IN can I use an actual php array?
>

>SELECT id FROM table WHERE var IN ($arr)

Have a look at the PHP implode() function. You can list the array items
as a string with a comma as item separator, which is what you want.

--
Erick

J.O. Aho

unread,
Nov 11, 2009, 2:52:39 PM11/11/09
to

Really nothing to do with mysql, so added alt.php.


//Example for numbers:
$query = "SELECT id FROM table WHERE var IN (".implode(',', $arr).")";

//Example for strings:
$query = "SELECT id FROM table WHERE var IN ('".implode("','", $arr)."')";


--

//Aho

Luuk

unread,
Nov 11, 2009, 3:02:44 PM11/11/09
to
Chris schreef:

It will not work because MySQL has no idea how a PHP-array looks like

So, you should write some PHP-code to 'translate' the array into
something that MYSQL understands, and that confirms to what you are
trying to get with the statement above...

--
Luuk

Chris

unread,
Nov 11, 2009, 6:35:05 PM11/11/09
to

Thanks all!

Hadn't thought of implode.

Chris

C. (http://symcbean.blogspot.com/)

unread,
Nov 12, 2009, 8:32:34 AM11/12/09
to

Looks like a good recipe for sql injection attacks.

Although the mysql_query function will only execute one statement per
call, there's still the opportunity for undermining the behaviour of
the query.

This is safer:

function array_to_mysql_in($cur,$next)
{
$cur.=$cur ? ',' : '';
return $cur . "'" . mysql_real_escape_string($next) . "'";
}
$query = "SELECT id FROM table WHERE var IN (".array_reduce
($arr,'array_to_mysql_in').")";

C.

Jerry Stuckle

unread,
Nov 12, 2009, 8:40:44 AM11/12/09
to

Not to mention that the code will also fail with a value such as "O'Brian".

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================

Mau C

unread,
Nov 12, 2009, 10:04:58 AM11/12/09
to
Jerry Stuckle ha scritto:

>>
>> Looks like a good recipe for sql injection attacks.
>
> Not to mention that the code will also fail with a value such as "O'Brian".
>

I think (not tested) a prepared statement & bind parameters might
prevent both...

regards,
M.

Taliesin Nuin

unread,
Nov 12, 2009, 10:39:45 AM11/12/09
to

Ah yes, but try preparing statements and binding parameters where the
query consists of

WHERE x IN (var1, var2, var3... uncertain number of vars)

which is the format of the OP's query. The best you can do (I welcome
corrections, though), is to create a parameter of the SET type and pass
that in. However, though you'd get points for sneakiness (twas the good
Captain P suggested this one a while back), you do have to keep an eye
out for the upper limit of how many values the SET type can hold.

Taliesin Nuin.

Jerry Stuckle

unread,
Nov 12, 2009, 2:25:39 PM11/12/09
to

That's one option - but that wasn't the question, was it?

0 new messages