I have a list
$list = array('a','b','c','d','e','f');
$filter_list = join(", " $list);
select * from test where id_col=12 and try_col in ($filter_list);
Anybody could tell me how Can I do this.?
-
1What does the "try in $list" part mean?Gabe– Gabe2011-08-18 07:51:42 +00:00Commented Aug 18, 2011 at 7:51
-
Please provide more information, which database are you using and how interact with it? mysql? mysqli? PDO?shesek– shesek2011-08-18 07:58:25 +00:00Commented Aug 18, 2011 at 7:58
Add a comment
|
1 Answer
$list = array('a','b','c','d','e','f');
$filter_list = "'" . join("', '", $list) . "'";
$query = "select * from test where id=12 and try_col in ($filter_list)";
// select * from test where id=12 and try_col in ('a', 'b', 'c', 'd', 'e', 'f')
Note that this will fail if your array values contain '. Here is a workaround:
$list = array("a'a",'a\a','b','c','d','e','f');
$temp = array_map("addslashes", $list);
$query = "SELECT * FROM test WHERE id=12 AND try_col in ('" . implode("','", $temp) . "')";
// SELECT * FROM test WHERE id=12 AND try_col in ('a\'a','a\\a','b','c','d','e','f')
5 Comments
shesek
You should also make sure to escape the values so they can be used properly in an SQL statement
shesek
addslashes should be quoted as a string. Also, its much better to use his database-specific escape function. There are several ways to exploit SQL injection when strings are quoted with addslashes and its not locale-aware. Also, the correct way to escape some characters could be different with different RDBMS. That's why I asked him about his database and the API he uses to talk with it.
tree em
I am using postgreSQL database.
shesek
Using PDO or the
pg_ functions?
Salman Arshad
@shesek: thanks, I thought I was writing jQuery code! Queue, as suggested by shesek I encourage you to use pg_escape_string. I do not have postgres extension so I couldn't test.