0

I have a search page where the user can select multiple checkboxes. I'm trying to format the response page properly using pdo. I got the query to work, but not using the question marks. Is there a way to write this query with the question marks, or is it safe as it is?

Response Page

$groupid = implode("," , $_POST['groupid']);
$query=$con->prepare("SELECT custid FROM cus_grps WHERE groupid in (".$groupid.") GROUP BY custid");
$query->execute([]);

while ($row=$query->fetch()){ echo $row['custid']; }
craison
  • 45
  • 3
  • I think you can follow this solution: https://stackoverflow.com/a/57934798/6829171 – Nur Muhammad Aug 18 '21 at 03:49
  • This is not safe. In fact, there's no difference between this and just running the query directly because you're interpolating the user data into your string before preparing it. There are ways to do this safely - see the linked questions – Tangentially Perpendicular Aug 18 '21 at 03:59
  • I've tried a few of the solutions but i get the error.. Parameter must be an array or an object that implements Countable – craison Aug 18 '21 at 04:11
  • @craison I was about to write up an answer to cover your problem, but it seems that the duplicate police have wielded their big hammer before anyone could help you further. Take a look at this [blog entry](https://www.pragmanotdogma.com/the-blog/29-perpared-statements-binding-an-array-of-parameters-to-an-in-clause) and see if it helps you. – Tangentially Perpendicular Aug 18 '21 at 06:27

0 Answers0