How to integrate PHP comma separated String in to SQL Query?

Question

Unfortunately, I don't get it...

I have a php variable which contains comma separated numbers as a string:

$var = $_POST['postvar'];

And postvar contains the string: 1,2,3,4,5,6,7,8,9,10

I want to use this string in a SQL query:

SELECT * FROM table WHERE id NOT IN ('$var');

But MS SQL ignore my id-restriction.

Where is the mistake?

Thank you so much!

`WHERE id NOT IN ('1,2,3,4,5,6,7,8,9,10');` will look for an integer in a list consisting of one string literal. — jarlh, Aug 03 '18 at 07:44
**Warning:** You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use parameterized [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of manually building your queries like that. Specially since you're not escaping the user inputs at all! — M. Eriksson, Aug 03 '18 at 07:48
When using `IN()` with prepared statements, you need to dynamically create the placeholders. Here's one answer about that: https://stackoverflow.com/questions/3703180/a-prepared-statement-where-in-query-and-sorting-with-mysql. That's for MySQL, but the principle is the same (and I don't know what mssql-api you're using). — M. Eriksson, Aug 03 '18 at 07:50

Lawrence Cherone · Answer 1 · 2018-08-03T08:02:01.680

1

Dont use concatenation in SQL querys!

Firstly either check each value is an int or cast it, for example:

<?php

$var = '1,2,3,4,5,6,7,8,9,10,11);DROP table users;--';

$var = explode(',', $var);

array_walk($var, function(&$value){
    $value = (int) $value;
});

print_r($var);

https://3v4l.org/AGRqL

Array
(
    [0] => 1
    [1] => 2
    [2] => 3
    [3] => 4
    [4] => 5
    [5] => 6
    [6] => 7
    [7] => 8
    [8] => 9
    [9] => 10
    [10] => 0
)

Then use prepared queries [sqlsrv_prepare()] after building your query string:

$sql = '
    SELECT * 
    FROM table 
    WHERE id NOT IN (
        '.implode(',', array_fill(0, count($var), '?')).'
    )
';

echo $sql;

https://3v4l.org/oU6iB

edited Aug 03 '18 at 08:02

answered Aug 03 '18 at 07:55

Lawrence Cherone

46,049
7
62
106

Thank you first part works well! But Query-Part still do not work : You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')' at line 1 – ThisIsIT Aug 03 '18 at 08:21
1

MariaDB is not `MS SQL` did you mean `MY SQL`?, print_r your statement before running it, the SQL code I posted is fine. – Lawrence Cherone Aug 03 '18 at 08:25
p.s also show the code your using to query the db.. (so I can update the link to the manual). – Lawrence Cherone Aug 03 '18 at 08:31
print_r ist showing: SELECT * FROM table WHERE id NOT IN ( ); – ThisIsIT Aug 03 '18 at 08:31
Then `$var` is empty. Will need to see your code to know why. – Lawrence Cherone Aug 03 '18 at 08:32
print_r for $var is showing the right array, it is not empty :( – ThisIsIT Aug 03 '18 at 08:33
Ok you was right! print_r ist showing now: SELECT * FROM table WHERE id NOT IN (?,?,?,?,?,?,?,?,?,?,?); – ThisIsIT Aug 03 '18 at 09:09

How to integrate PHP comma separated String in to SQL Query?

1 Answers1