How can I put 3 variables from POST to AnswerId

Question

My question is: How can I put 3 variables from POST to AnswerId so it will delete whole the row in my database.

This is my code:

$tbAlleAntId = $_POST['tbAntId1'], $_POST['tbAntId2'], $_POST['tbAntId3'];
$tbDeleteAnswerId = $tbAlleAntId;
$deleteAnt = "DELETE FROM Antwoorden WHERE AnswerId= ".$tbDeleteAnswerId;

$numRowsAnt=$dbQuiz->exec($deleteAnt);

$dbQuiz=null;

I am using the PDO API to connect with.

**Danger!** Your code is very vulnerable to SQL injection. You should use parameterized statements; PDO has a very nice facility for doing just that. — Ben N, Dec 11 '15 at 14:16

score 0 · Accepted Answer · edited May 23 '17 at 12:30

Assuming your POST variable contains safe data, create a concatenated string and use MySQL IN Clause

$tbAlleAntId = $_POST['tbAntId1'] . ',' . $_POST['tbAntId2'] . ',' . $_POST['tbAntId3'];
$deleteAnt = "DELETE FROM Antwoorden WHERE AnswerId IN(" . $tbAlleAntId . ")";

But you should definitely clean up your $_POST to make sure nothing harmful is sent (see How can I prevent SQL-injection in PHP).

In your case one easy way could be to control that the $_POST actually contains numeric ids and nothing else.

if (is_numeric($_POST['tbAntId1']) && is_numeric($_POST['tbAntId2']) && is_numeric($_POST['tbAntId3'])) {
    $tbAlleAntId = $_POST['tbAntId1'] . ',' . $_POST['tbAntId2'] . ',' . $_POST['tbAntId3'];
    $deleteAnt = "DELETE FROM Antwoorden WHERE AnswerId IN(" . $tbAlleAntId . ")";
    $numRowsAnt=$dbQuiz->exec($deleteAnt);
}

How can I put 3 variables from POST to AnswerId

1 Answers1