0

I know there are too many related questions to the title, but so many answers out there didn't help me achieve what i'm trying to do.

I am trying to execute the following code example on mysql:

SELECT * FROM users 
WHERE user_id in (1, 2, 3, 4)

The ids are dynamic and it is passed from flutter to PHP Api. So in flutter, my list is like this:

listOfIds = [1, 2, 3, 4]; //This is dynamic
stringIds = listOfIds.join(","); //Output will be "1,2,3,4"

I then pass it to my PHP APi using the following code:

var response = await http.post(
      Uri.parse('example'),
      headers: {'Accept': 'application/json'},
      body: {
        'ids': stringIds, //has to be converted to string
      },
    );

And my php api is like this:

$ids = $_POST['ids'];

$sql = "SELECT * FROM users WHERE user_id in ('".$ids."') ";

So now, the issue here is that the query is doing

where user_id in ("1, 2, 3, 4")

All I need to do is remove the quotes which is converting from string to int.

I tried the following:

$intIds = implode(',', $ids);

$intIds = array_map('interval', explode(',', $ids));

$intIds = array_map('interval', json_decode($ids, true));

and everything in Convert a comma-delimited string into array of integers?

But nothing is working for the sql query i am trying to execute

Texv
  • 1,225
  • 10
  • 14
  • 1
    You were closer on your second array map (what is `interval`?). Use `explode()` to convert the string to an array, then implode again to build up the string. Or take a hint from https://stackoverflow.com/questions/14767530/php-using-pdo-with-in-clause-array to use it in a prepared statement – aynber Dec 08 '22 at 13:46
  • `All I need to do is remove the quotes`...well it was you who put them there. Look closely at `in ('".$ids."')`...see those single quote marks? You hard-coded those in, it's nothing to do with the input data, so manipulating that won't make the slightest bit of difference. But anway as CBroe says you must use prepared statements and parameters regardless (for both reliability and security reasons). – ADyson Dec 08 '22 at 13:51
  • Sorry but I am still confused. The link you sent converts an array, its not the same type of string as mine. Are you able to show an example? start with $string = '1,2,3'; on onlinephp.io for example – Texv Dec 08 '22 at 14:01
  • @ADyson even if i remove the quotes i am still passing the list as a string type value from flutter – Texv Dec 08 '22 at 14:02
  • 1
    `i am still passing the list as a string type`...well that's fine because you're putting into a string in PHP. It needs to make sense when it gets to mysql, that's all. Forget about the data types in flutter or PHP. Of course it's a string when it gets to PHP because HTTP requests only contain strings. It's what you do with it afterwards which is the important thing. Take those single quote marks off, do `var_dump($sql)` to see what you end up with. It should look like a valid SQL query now, where _mysql_ will see them as separate values not a single string. – ADyson Dec 08 '22 at 14:03
  • 2
    You need to turn the string `1, 2, 3, 4` into an array. To do that, use `array_map('trim', explode(',',$ids));`. Explode turns the string into an array based on the comma delimiter, then the array_map(trim()) removes the whitespace. But ADyson is right... my method is better when the values are strings, but since you're passing in straight numbers, they don't need to be quoted – aynber Dec 08 '22 at 14:03
  • But anyber is right, to use the method in their link you just convert the received string back into an array again. And then you can parameterise the values properly, as you always should with any external input into your queries (whether mysql is supposed to treat them as numbers, strings binary data or whatever is irrelevant to that). – ADyson Dec 08 '22 at 14:04
  • 1
    So I'd say this is a direct duplicate of [PHP - Using PDO with IN clause array](https://stackoverflow.com/questions/14767530/php-using-pdo-with-in-clause-array) (If you're not using PDO, you can do something very similar with mysqli, and there are existing posts online which show the exact syntax) – ADyson Dec 08 '22 at 14:06
  • oh finally got it cheers guys :) – Texv Dec 08 '22 at 14:16

0 Answers0