1

I was working on a search form that stores people's names in an array, and then wanted to create a query on the results page in PHP that uses an IN clause (if that's the best way; feel free to point me in another direction). Basically the page has checkboxes for all the names, so they can check one, many or all names. I tried using the implode function, but have been unsuccessful so far.

$yourName = implode("', '", $_POST['Your_name']);

if($dutyReq=="All" && $yourName!="All" ) $query="SELECT * FROM talent_eas WHERE Your_name IN ('$yourName')";

Does that look at all right? Would that handle all scenarios? I'm just starting out with PHP so I have no idea what I'm doing. I tried searching for my specific question but just didn't seem to see much use of the IN clause.

Improve this question
4
  • It wouldn't handle SQL injection. Commented Sep 10, 2012 at 16:23
  • It looks "ok", but you're wide open to SQL injection attacks. Commented Sep 10, 2012 at 16:23
  • good point.... so would this do the trick to protect it? $yourName = mysql_real_escape_string($yourName); Commented Sep 10, 2012 at 16:35
  • @user1658726 it would b enough in this case but ideally you want to be looking at using PDO with mysql. Research that, you might as well learn how to do it properly Commented Sep 10, 2012 at 16:47

3 Answers 3

Reset to default
1

Yes, that how to use IN. Here are some more examples:

SELECT * FROM users WHERE name IN ('John','Jane');

SELECT * FROM some_table WHERE the_month IN ('January','April','September');

Also, please read on SQL Injections.

For your comment:

You need to use mysql_real_escape_string BEFORE the implode. So your code should be:

$yourName = implode("', '", mysql_real_escape_string($_POST['Your_name']));
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

i modified it to: $yourName = implode("', '", $_POST['Your_name']); $yourName = mysql_real_escape_string($yourName); but that seems to break it
i updated my answer - the formatting for code looks better there
i tried it with the example you showed above, but it tells me that i have bad arguments in the implode function
0

You can Use

SELECT * FROM talent_eas WHERE Your_name IN ('shail','jyoti');

I suggest you to read Mysql Injection, else your code can be hacked easily

Improve this answer

Comments

0

Here's few ways to prevent SQLi

# 1. Map each name with escape function
$yourname = implode("', '", array_map('mysql_real_escape_string', $_POST['Your_name']));

# 2. Use PDO with prepare statement (with placeholders e.g. (?, ?, ?)
$placeholders = array_fill(0, sizeof($_POST['Your_name']), '?');
$stmt         = $pdo->prepare('SELECT * FROM talent_eas WHERE Your_name IN ('.implode(', ', $placeholders).')';

$stmt->execute($_POST['Your_name']);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.