0

I'm trying to build a query using php and mysql,

 $query = "select * from products where product_name = '$item_name'";

this works when $item_name holds only one name, but $item_name is an array and based on the user's interaction can contain multiple names, how can I make the query to run for multiple name and get the resulted rows.

Thanks in advance

Improve this question

5 Answers 5

Reset to default
6

Here's how you could build a safe list of names for inserting into an IN clause...

if (is_array($names) && count($names))
{
    $filter="('".implode("','" array_map('mysql_real_escape_string', $names))."')";
    $sql="select * from products where product_name in $filter";

    //go fetch the results
}
else
{
    //input was empty or not an array - you might want to throw an
    //an error, or show 'no results'
}

array_map returns the input array of names after running each name through mysql_real_escape_string to sanitize it. We implode that array to make a nice list to use with an IN clause.

You should always ensure any data, particularly coming directly from the client side, is properly escaped in a query to prevent SQL injection attacks.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

To make it even more instructive, I'd suggest an else clause to avoid surprises ;-)
3 
$vals = implode(',',$item_name);
$query = "select * from products where product_name in (".$vals.");";

Give that a try.

Improve this answer

5 Comments

should be $vals = '"'.implode('","', $item_name).'"'; in order to have quoted values
+1, but yes, dove, is right sanitizing data would be very helpful.
this isn't a good example of how to construct a query - santizing the data should never be afterthought, or even removed from instructive examples to make them clearer.
thanks for you reply,after running the above code I get this error Warning: implode() [function.implode]: Invalid arguments passed any idea,
amir, what's in your $item_name? If it's, for instance, comma-separated list, you may want to explode it first. But go for Paul's reply.
0 
$query = "select * from products where product_name in(";
foreach($item_name as $name) 
{
    $query .= "'" . $item_name . "', ";
}

$query = substr($query, 0, strlen$query) - 2);
$query .= ");";

First answer (by inkedmn) is really the best one though

Improve this answer

2 Comments

You have a great opportunity to escape the string here ;-) And close the ')' afterwards.
yeah, not the best answer in the list.
-1 
foreach($item_name as $name) {
$query = "select * from products where product_name = '$name'";
//whatever you want to do with the query here
}

something like that ought to do it.

Improve this answer

1 Comment

This is an inefficient solution as it requires a round-trip to the database for each element in the array. My solution gets them all in one shot.
-1

Based on inkedmn's response (which didn't quote the item names):

$query = 'select * from products where product_name in ("' . implode('", "', $item_name ) . '")';

Although you may be better with a fulltext search.

http://dev.mysql.com/doc/refman/5.1/en/fulltext-search.html

Improve this answer

1 Comment

Too many double quotes? What do you mean? It will become something like: 'select * from products where product_name in ("shoes", "shirts", "hats")'

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.