php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72713 Prepeared statements and field IN (values)
Submitted: 2016-07-30 14:06 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: rmoisto at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: Next Minor Version OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: rmoisto at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-30 14:06 UTC] rmoisto at gmail dot com
Description:
------------
There seems to be no simple way of using prepared statements in queries where "field IN (values)" is used.
Currently PDOStatement::execute doesn't handle it well if you give it an array as a value. If it could convert that array to comma-separated values instead, that would solve the issue. I'd like the test script below to work when this is implemented.

It's not only a matter of convenience. SQL injection attacks happen because of this.

I've implemented this in PHP code and it's not difficult. But it would be much better if the language supported this. People recommend implode and array_fill or str_repeat for generating question marks but that approach is not only ugly but named parameters can't be used in the same query.

I'm not the first to have this idea but I'm bringing it up because I can't find an answer to why this is not implemented.

Test script:
---------------
<?php
$db = new \PDO('mysql:host=host;dbname=db', 'user', 'pass');
$res = $db->prepare(
    'SELECT `name` FROM `table` WHERE `id` IN :ids AND `foo` = :bar'
);
$res->execute([
    'ids' => [3, 2, 1],
    'bar' => 'bar'
]);
var_dump($res->fetch());


Actual result:
--------------
Array to string conversion on line 9

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 08:01:24 2019 UTC