I'd like to select some data from my database using variables.
Here is a short version of my code:
// $a is either null or something like [1, 2]
if ($a) {
$debug = implode(',', $a);
} else {
$debug = [0-9];
}
$sql = "SELECT id FROM user WHERE id IN ($debug)"
How can I achieve that I get only user 1 and 2 (= value in $a) if $a is set and all user if $a is not set?
First:
be aware when you directly inject string inside queries, because you can be target of a SQL Injection
Second:
change directly the query might be the easiest solution
// $a is either null or something like [1, 2]
$sql = "SELECT id FROM user";
if ($a) {
$debug = implode(',', $a);
$sql = "SELECT id FROM user WHERE id IN ($debug)";
}
$debug is only set with known values (not from $_POST, or so) then this should not be a problem.
SELECT id FROM user WHERE id IN (any number) exist?
where ... id IN (select id from user) and so injecting select id from user as string, but i mean, it's not that great as a suggestion ahahyou can set flag on $a to check if its null $debug must contain a comma separated string with ids i.e '2,32,12,54,56,76'
$sql = "SELECT id FROM user ";
if(!empty($a)){
$debug = implode(',', $a); //here you must get string like '1,2,3,4,5'
$sql .= " WHERE id IN ($debug)";
}
//here if $a is empty you have all rows and if $a have values you get selected rows
//final query will be
// if a is empty 'SELECT id FROM user '
// else 'SELECT id FROM user WHERE id IN (1,2,3)' // where 1,2,3 got from $debug
isset($a)?