0

I don't know exactly how to title this question, however I became aware of risks of SQL injection and I am modifying a query to use a prepared statement.

In the original query I was passing an array of ids to look for in the DB like this:

AND item.id IN ($ids)

where for example

$ids = "35,36,69,73,98,218,219,234,242";

Now I modified the query so I put that data into $params like this:

$params = [':ids' => $ids ];

and modified the line in the query to:

AND item.id IN (:ids)

so I execute the query like this:

$query->execute($params);

However by dumping $query I can see that the ids are not passed and this is what passes instead:

IN (:ids)

So obviously nothing is retrieved.

tadman
  • 208,517
  • 23
  • 234
  • 262
Chriz74
  • 1,410
  • 3
  • 23
  • 47
  • What flavor of SQL rdbms? If it's SQL Server check out "Table Valued Parameters". – Jacob H May 08 '18 at 18:22
  • I am using mySQL – Chriz74 May 08 '18 at 18:24
  • There's [answers like this](https://stackoverflow.com/questions/920353/can-i-bind-an-array-to-an-in-condition) which help address that deficiency in PDO. – tadman May 08 '18 at 18:38
  • I tried the solution, I get `SQLSTATE[HY093]: Invalid parameter number: parameter was not defined` – Chriz74 May 08 '18 at 18:49
  • If you're creating that list of IDs, and you know they're integers, why not simply put them literally in the query? That's the simplest solution, it won't fail, it's not vulnerable, and it takes 1 line to write if you are already sure you have integers. – Alex May 08 '18 at 20:00
  • Yes you are right. I was overthinking. Anyway I will also try other solutions. – Chriz74 May 08 '18 at 20:01

0 Answers0