发表新帖
发表新帖

Passing an array to a query using a WHERE clause

后端 未结
关注
18 927
情歌与酒
情歌与酒 2020-11-21 09:03

Given an array of ids $galleries = array(1,2,5) I want to have a SQL query that uses the values of the array in its WHERE clause like:
相关标签:
18条回答
  • 后悔当初
    2020-11-21 09:34

    Col. Shrapnel's SafeMySQL library for PHP provides type-hinted placeholders in its parametrised queries, and includes a couple of convenient placeholders for working with arrays. The ?a placeholder expands out an array to a comma-separated list of escaped strings*.

    For example:

    $someArray = [1, 2, 5];
$galleries = $db->getAll("SELECT * FROM galleries WHERE id IN (?a)", $someArray);

    * Note that since MySQL performs automatic type coercion, it doesn't matter that SafeMySQL will convert the ids above to strings - you'll still get the correct result.

    0 讨论(0)
  • 失恋的感觉
    2020-11-21 09:39

    We should take care of SQL injection vulnerabilities and an empty condition. I am going to handle both as below.

    For a pure numeric array, use the appropriate type conversion viz intval or floatval or doubleval over each element. For string types mysqli_real_escape_string() which may also be applied to numeric values if you wish. MySQL allows numbers as well as date variants as string.

    To appropriately escape the values before passing to the query, create a function similar to:

    function escape($string)
{
    // Assuming $db is a link identifier returned by mysqli_connect() or mysqli_init()
    return mysqli_real_escape_string($db, $string);
}

    Such a function would most likely be already available to you in your application, or maybe you've already created one.

    Sanitize the string array like:

    $values = array_map('escape', $gallaries);

    A numeric array can be sanitized using intval or floatval or doubleval instead as suitable:

    $values = array_map('intval', $gallaries);

    Then finally build the query condition

    $where  = count($values) ? "`id` = '" . implode("' OR `id` = '", $values) . "'" : 0;

    or

    $where  = count($values) ? "`id` IN ('" . implode("', '", $values) . "')" : 0;

    Since the array can also be empty sometimes, like $galleries = array(); we should therefore note that IN () does not allow for an empty list. One can also use OR instead, but the problem remains. So the above check, count($values), is to ensure the same.

    And add it to the final query:

    $query  = 'SELECT * FROM `galleries` WHERE ' . $where;

    TIP: If you want to show all records (no filtering) in case of an empty array instead of hiding all rows, simply replace 0 with 1 in the ternary's false part.

    0 讨论(0)
  • 再見小時候
    2020-11-21 09:41

    More an example:

    $galleryIds = [1, '2', 'Vitruvian Man'];
$ids = array_filter($galleryIds, function($n){return (is_numeric($n));});
$ids = implode(', ', $ids);

$sql = "SELECT * FROM galleries WHERE id IN ({$ids})";
// output: 'SELECT * FROM galleries WHERE id IN (1, 2)'

$statement = $pdo->prepare($sql);
$statement->execute();
    0 讨论(0)
  • 感动是毒
    2020-11-21 09:44

    We can use this "WHERE id IN" clause if we filter the input array properly. Something like this:

    $galleries = array();

foreach ($_REQUEST['gallery_id'] as $key => $val) {
    $galleries[$key] = filter_var($val, FILTER_SANITIZE_NUMBER_INT);
}

    Like the example below:enter image description here

    $galleryIds = implode(',', $galleries);

    I.e. now you should safely use $query = "SELECT * FROM galleries WHERE id IN ({$galleryIds})";

    0 讨论(0)
  • 轻奢々
    2020-11-21 09:45

    Basic methods to prevent SQL injection are:

    • Use prepared statements and parameterized queries
    • Escaping the special characters in your unsafe variable

    Using prepared statements and parameterized queries query is considered the better practice, but if you choose the escaping characters method then you can try my example below.

    You can generate the queries by using array_map to add a single quote to each of elements in the $galleries:

    $galleries = array(1,2,5);

$galleries_str = implode(', ',
                     array_map(function(&$item){
                                   return "'" .mysql_real_escape_string($item) . "'";
                               }, $galleries));

$sql = "SELECT * FROM gallery WHERE id IN (" . $galleries_str . ");";

    The generated $sql var will be:

    SELECT * FROM gallery WHERE id IN ('1', '2', '5');

    Note: mysql_real_escape_string, as described in its documentation here, was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:

    • mysqli_real_escape_string()

    • PDO::quote()

    0 讨论(0)
  • Happy的楠姐
    2020-11-21 09:48

    BEWARE! This answer contains a severe SQL injection vulnerability. Do NOT use the code samples as presented here, without making sure that any external input is sanitized.

    $ids = join("','",$galleries);   
$sql = "SELECT * FROM galleries WHERE id IN ('$ids')";
    0 讨论(0)
 看不清?
提交回复
热议问题