Updated: How to parameterized a query having 'IN' clause?

Question

We are using raw query in our project.I want to parameterized my sql query to avoid sql injection, facing issue with 'IN' clause. IN clause have every type of value in it like 'string', 'int', both

Case:1

$Misc1Filter:(string) '112211','222211'

query string becomes

...AND ( u.MISC IN ( '112211','222211'))

Case:2

$Misc2Filter:(string) ' testing','abc'

query string becomes

...AND (u.Misc_02 IN ( ' testing','abc'))

Case:3

$Misc3Filter:(string) 'BAQF321','abc'

query string becomes

...AND ( u.Misc_03 IN ( 'BAQF321','abc'))

Complete code

$query = "Select u.MISC, u.Misc_02, u.Misc_03 from Users u where u.token =:token";
    if ($Misc1Filter != null) {
        $query .= " AND ( u.MISC IN ( " . $Misc1Filter . ")) ";
    }
    if ($Misc2Filter != null) {
        $query .= " AND (u.Misc_02 IN ( " . $Misc2Filter . ")) ";
    }
    if ($Misc3Filter != null) {
        $query .= "  AND ( u.Misc_03 IN ( " . $Misc3Filter . ")) ";
    }

    $paramArray ['token'] = 'abc';
    $result = parent::rawToParameterized($query,$paramArray);
    return $result;

and method looks like

public function rawToParameterized($sql, $params, $fetchResult = true) {
    $conn = $this->getEntityManager()->getConnection();
    $stmt = $conn->prepare($sql);
    foreach ($params as $key => $value) {
        if (strpos($sql, ':' . $key) !== false) {
            $stmt->bindValue(':' . $key, $value);
        }
    }
    $stmt->execute();

    if ($fetchResult) {
        return $stmt->fetchAll();
    }
}

Doctrine already supports in operator natively, both in query builder and DQL. Of course you need to supply an **array** as an argument — Your Common Sense, Sep 19 '19 at 10:59

Updated: How to parameterized a query having 'IN' clause?

0 Answers0