47

I have a string of ids like 1,2,3,4,5 and I want to be able to list all rows in mysql where the ID is contained in that list.

I assumed the easiest way would be to turn the string into an array and then match in ($array) but it doesn't work for me - no errors etc but it returns no rows:

$string="1,2,3,4,5";
$array=array_map('intval', explode(',', $string));
$query=mysqli_query($conn, "SELECT name FROM users WHERE id IN ('".$array."')");

If I do a var_dump of $array I get:

array(5) { 
    [0]=> int(1) 
    [1]=> int(2) 
    [2]=> int(3) 
    [3]=> int(4) 
    [4]=> int(5) 
}

Any idea where I am screwing up?

Improve this question
1
  • Are the Ids strings or Integers? Commented Nov 25, 2013 at 20:53

3 Answers 3

Reset to default
102 
$string="1,2,3,4,5";
$array=array_map('intval', explode(',', $string));
$array = implode("','",$array);
$query=mysqli_query($conn, "SELECT name FROM users WHERE id IN ('".$array."')");

NB: the syntax is:

SELECT * FROM table WHERE column IN('value1','value2','value3')

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

@bhttoan it might have worked great, but it is subject to vulnerabilities...
How so? I showed a VERY simplified and stripped down view of the code (including the actual query itself) to avoid putting too much unnecessary code but I am happy that the array content is sanitised and safe
@bhttoan You are not parameterizing anything. Especially if the string is coming from the client there could be issues.
@qwertynl parameterizing is a solid way to protect against sql injection but that doesn't mean all other ways are wrong. If I expect a value of "10" and I do $string==10 this is not any weaker than parameterizing..
how would you parameterize this statement?
|
10

Your query translates to:

SELECT name FROM users WHERE id IN ('Array');

Or something to that affect.

Try using prepared queries instead, something like:

$numbers = explode(',', $string);
$prepare = array_map(function(){ return '?'; }, $numbers);
$statement = mysqli_prepare($link , "SELECT name FROM users WHERE id IN ('".implode(',', $prepare)."')");
if($statement) {
   $ints = array_map(function(){ return 'i'; }, $numbers);
   call_user_func_array("mysqli_stmt_bind_param", array_merge(
      array($statement, implode('', $ints)), $numbers
   ));
   $results = mysqli_stmt_execute($statement);
   // do something with results 
   // ...
}
Improve this answer

Comments

4

Change

$array=array_map('intval', explode(',', $string));

To:

$array= implode(',', array_map('intval', explode(',', $string)));

array_map returns an array, not a string. You need to convert the array to a comma separated string in order to use in the WHERE clause.

Improve this answer

5 Comments

Then that just turns it back into the original string... What is the point?
I believe that's what he requested.
This looks like the same end result as my chosen answer but in one line rather than two so not sure why the downvote? FYI @Darius I did not downvote this
@bhttoan this answer is the same as doing: $query=mysqli_query($conn, "SELECT name FROM users WHERE id IN ('".$string."')"); It does not change the original string at all.
@qwertynl Well the OP wanted to run the intval() function on each value in the array, then spit back a comma-separated string. I accomplished what was asked by the OP, nothing more, whether or not array_map() was required.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.