php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72713 Prepeared statements and field IN (values)
Submitted: 2016-07-30 14:06 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: rmoisto at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: Next Minor Version OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
17 + 35 = ?
Subscribe to this entry?

 
 [2016-07-30 14:06 UTC] rmoisto at gmail dot com
Description:
------------
There seems to be no simple way of using prepared statements in queries where "field IN (values)" is used.
Currently PDOStatement::execute doesn't handle it well if you give it an array as a value. If it could convert that array to comma-separated values instead, that would solve the issue. I'd like the test script below to work when this is implemented.

It's not only a matter of convenience. SQL injection attacks happen because of this.

I've implemented this in PHP code and it's not difficult. But it would be much better if the language supported this. People recommend implode and array_fill or str_repeat for generating question marks but that approach is not only ugly but named parameters can't be used in the same query.

I'm not the first to have this idea but I'm bringing it up because I can't find an answer to why this is not implemented.

Test script:
---------------
<?php
$db = new \PDO('mysql:host=host;dbname=db', 'user', 'pass');
$res = $db->prepare(
    'SELECT `name` FROM `table` WHERE `id` IN :ids AND `foo` = :bar'
);
$res->execute([
    'ids' => [3, 2, 1],
    'bar' => 'bar'
]);
var_dump($res->fetch());


Actual result:
--------------
Array to string conversion on line 9

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Aug 08 17:05:45 2022 UTC