-1

I want to fetch an array of results from MYSQL where id is an array. I had used this one:

$q="SELECT * FROM stocksdb WHERE Id = '" . $_POST['prod'] . "'";

where 'prod' is an array but the return is just only one row where the prod contains more. So, is there any method to fetch an array of results from an array of Id's.

I need it not not to be open for MySql Injections as the possible answer is open for it.

Karthik Kakarla
  • 11
  • 6
  • I think you might be looking for SQL's `IN` syntax. Also, please look up prepared statements, you're open to SQL injection as your code is at the moment. – Jonnix May 22 '16 at 15:09
  • how are you fetching the results now? – AnatPort May 22 '16 at 15:09
  • Possible duplicate of [PHP/MySQL using an array in WHERE clause](http://stackoverflow.com/questions/907806/php-mysql-using-an-array-in-where-clause) – lolbas May 22 '16 at 15:11
  • I'm fetching results from stocksdb where id = "2,3,4'. I need it to return those three rows – Karthik Kakarla May 22 '16 at 15:11

1 Answers1

0

you would be looking for IN clause to fetch multiple values matching condition.

http://www.tutorialspoint.com/mysql/mysql-in-clause.htm

Vinayaka Mayura G G
  • 1
  • 2
  • IN clause is open for SQL Injections as said by Jon Stirling and lolbas anyway, thanks for the reply. – Karthik Kakarla May 22 '16 at 15:17
  • @KarthikChowdary SQL injections treatment applies to the way you insert external variables into SQL query. Properly handled query is 99.9% percent safe. – lolbas May 22 '16 at 15:19
  • Ok, as you said @lolbas, using IN clause is safe from SQL injections? – Karthik Kakarla May 22 '16 at 15:21
  • @KarthikChowdary you can't say that using this or that language statement is open for SQL injections. If you use `IN` clause and assume that only `int` should be there, it is your responsibility to make sure only `int` will be used in the query string. Pasting raw data makes your query (but not specific statement) vulnerable. – lolbas May 22 '16 at 15:24