|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72713 Prepeared statements and field IN (values)
Submitted: 2016-07-30 14:06 UTC Modified: -
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: rmoisto at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: Next Minor Version OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-07-30 14:06 UTC] rmoisto at gmail dot com
There seems to be no simple way of using prepared statements in queries where "field IN (values)" is used.
Currently PDOStatement::execute doesn't handle it well if you give it an array as a value. If it could convert that array to comma-separated values instead, that would solve the issue. I'd like the test script below to work when this is implemented.

It's not only a matter of convenience. SQL injection attacks happen because of this.

I've implemented this in PHP code and it's not difficult. But it would be much better if the language supported this. People recommend implode and array_fill or str_repeat for generating question marks but that approach is not only ugly but named parameters can't be used in the same query.

I'm not the first to have this idea but I'm bringing it up because I can't find an answer to why this is not implemented.

Test script:
$db = new \PDO('mysql:host=host;dbname=db', 'user', 'pass');
$res = $db->prepare(
    'SELECT `name` FROM `table` WHERE `id` IN :ids AND `foo` = :bar'
    'ids' => [3, 2, 1],
    'bar' => 'bar'

Actual result:
Array to string conversion on line 9


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Apr 23 17:01:31 2024 UTC