How to protect against SQL injection with an IN() array?

Asked Jul 28 '15 at 11:29

Active Jul 28 '15 at 12:03

Viewed 23 times

How I can protect my code from SQL injections? I have URL like this:

example.com/players.php?ids=100098,131183,188736,261945,301588

and query

$ids = (isset($_GET['ids'])) ? $_GET['ids'] : false;
$query = "SELECT * FROM player WHERE profileid IN (". $ids .")";

edited Jul 28 '15 at 12:03

halfer

asked Jul 28 '15 at 11:29

i can't found answer in that thread, why you closed? – Jul 28 '15 at 11:44
You can't use parameter binding with an array, only single values. `explode()` on the comma, cast each element to int, and then `implode()` using a comma again. – halfer Jul 28 '15 at 12:04
1

That said, you can use parameter binding if you are happy to programmatically create the placeholders in your SQL string. [See here](http://stackoverflow.com/q/11405602/472495), [here](http://stackoverflow.com/q/920353/472495) and [here](http://stackoverflow.com/q/1586587/472495). – halfer Jul 28 '15 at 12:07
Any example with non PDO? – Jul 28 '15 at 12:19
What library are you using? – halfer Jul 28 '15 at 12:24
xampp 1.6.8 on localhost, yes it bit old. – Jul 28 '15 at 12:28
I meant database library. MySQL (deprecated `mysql_`) or MySQLi? – halfer Jul 28 '15 at 14:15
I got answer on other forum. Question can be closed! – Jul 31 '15 at 21:20

0 Answers0