How to remove single quotes in prepare statement?

Question

My query is like this :

$group_id = $session[\'group_id\'];

$sql = \"SELECT *
        FROM notification 
        WHERE group_id IN(?)\";

$result = $this-&g         


        

Answer 1

You either need to dynamically add in as many ? as you have values in the array...

Or stop using a prepared query and do something like the following:

$group_id = $session['group_id'];

$sql = "SELECT *
    FROM notification 
    WHERE group_id IN (".implode($group_id,",").")";

If the data hasn't come from a user you don't necessarily need to use a prepared query to make sure the data is safe. But if necessary you could do an is_numeric() check before the query to see if the data is valid.