-5

I need help with prevent from "Notice: Array to string conversion in "

$stmt = $DBH->prepare("SELECT * FROM users WHERE id = :emailid");
$stmt->bindParam(':emailid', $emailid, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetchAll();    
foreach($result as $row)
    {
    echo $row['id'].'<br />';
    echo $row['emailid'].'<br />';
    echo $row['password'];
    }

Everythink its OK, index.php?id=5

but when i put index.php?id[]=5

Return me error

Notice: Array to string conversion in

What is the best way to check for arrays in this case; error_reporting(0) is not a solution I want to find optimized method.

Willem Van Onsem
  • 443,496
  • 30
  • 428
  • 555
user3576620
  • 1
  • 3
  • 3
    What exactly you were expecting to happen when putting an array notation inside `get` parameters? `index.php?id[]=5` – al'ein Sep 28 '15 at 18:16
  • 1
    To check for an array: http://php.net/is_array – Mike Sep 28 '15 at 18:18
  • Just testing all parameters, in this case you can see the full path disclosure ... – user3576620 Sep 28 '15 at 18:18
  • If you're going to have one option to provide single ids and another to provide an array of ids, call them something different. For example, call the singular `id` and the array `ids`. Then just check which one is set in your php code. – Mike Sep 28 '15 at 18:21
  • Just to make sure: you assign $_GET['id'] to $emailid and the line "producing" the notice is `$stmt->bindParam...`? – VolkerK Sep 28 '15 at 18:21
  • `$emailid` is an array. What is the **expected** output? – Salman A Sep 28 '15 at 18:23
  • 1
    If it's always an integer, why are you even asking this question? What are you *actually* trying to do? – Mike Sep 28 '15 at 18:32

1 Answers1

1

Not sure in which direction you want this question to go. But let's assume you want - for some reason - make it work either way: ?id=... and ?id[]=...&id[]=...

if ( !is_array($_GET['id']) ) {
    // just make it an array with one element
    $ids = array( $_GET['id'] );
    // so having a simple type string id is just a special case of the 
    // array case
}
else {
    $ids = $_GET['id'];
}

$stmt = $DBH->prepare("SELECT * FROM users WHERE id = :emailid");
$stmt->bindParam(':emailid', $emailid, PDO::PARAM_STR);
foreach( $ids as $emailid ) {
    $stmt->execute();
    $result = $stmt->fetchAll();    
    foreach($result as $row) {
        ...
    }
}
VolkerK
  • 95,432
  • 20
  • 163
  • 226
  • btw, before someone else is going to point it out: it would also be possible to create a `WHERE id IN (?,?,?...)` prepared statement having exactly the number of parameters as `count($ids)` - but I'd not start there but rely on the query planer to do a good job and the network overhead being neglible. You can still change it if these assumptions are wrong ;-) – VolkerK Sep 28 '15 at 18:39