php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72713 Prepeared statements and field IN (values)
Submitted: 2016-07-30 14:06 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: rmoisto at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: Next Minor Version OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: rmoisto at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-30 14:06 UTC] rmoisto at gmail dot com
Description:
------------
There seems to be no simple way of using prepared statements in queries where "field IN (values)" is used.
Currently PDOStatement::execute doesn't handle it well if you give it an array as a value. If it could convert that array to comma-separated values instead, that would solve the issue. I'd like the test script below to work when this is implemented.

It's not only a matter of convenience. SQL injection attacks happen because of this.

I've implemented this in PHP code and it's not difficult. But it would be much better if the language supported this. People recommend implode and array_fill or str_repeat for generating question marks but that approach is not only ugly but named parameters can't be used in the same query.

I'm not the first to have this idea but I'm bringing it up because I can't find an answer to why this is not implemented.

Test script:
---------------
<?php
$db = new \PDO('mysql:host=host;dbname=db', 'user', 'pass');
$res = $db->prepare(
    'SELECT `name` FROM `table` WHERE `id` IN :ids AND `foo` = :bar'
);
$res->execute([
    'ids' => [3, 2, 1],
    'bar' => 'bar'
]);
var_dump($res->fetch());


Actual result:
--------------
Array to string conversion on line 9

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Aug 08 15:05:47 2022 UTC