Assume I have an array:
$elements = array('foo', 'bar', 'tar', 'dar');
Then I want to build up a DELETE IN
SQL query:
$SQL = "DELETE FROM elements WHERE id IN ('" . implode(',', $elements) . "')";
The problem is that the ids in the elements array aren't quoted each individually. I.E the query looks like:
$SQL = "DELETE FROM elements WHERE id IN ('foo,bar,tar,dar');
What's the best, most elegants way to fix this?
Add the quotes into the implode
call: (I'm assuming you meant implode
)
$SQL = 'DELETE FROM elements WHERE id IN ("' . implode('", "', $elements) . '")';
This produces:
DELETE FROM elements WHERE id IN ("foo", "bar", "tar", "dar")
The best way to prevent against SQL injection is to make sure your elements are properly escaped.
An easy thing to do that should work (but I haven't tested it) is to use either array_map
or array_walk
, and escape every parameter, like so:
$elements = array(); $elements = array_map( 'mysql_real_escape_string', $elements);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With