I have an Array with data and I want to create an SQL statement (In which I am going to use where to where in).
I have tried to make query but no success.
SQL will be like :
SELECT *
FROM documents
WHERE category = "recruitment"
AND sub_category in("forms")
OR category = "onboarding"
AND sub_category IN ("sop")
OR category = "policies"
AND sub_category IN("forms");
and Array is this :
{"Recruitment":["Forms"],"Onboarding":["Sop"],"Policies":["Forms"]}
I have tried this code :
foreach ($db_sub as $data=>$key){
$query = "where document.category = ".$data." or where document.sub_category in ('".$key."')";
}
But getting error array to string conversion. Plz help me.
Thanks in advance.
Error :
You are trying to concatenate a string with an array. Since your array's values are also arrays, you will have to convert them to string first. It could be done with the join function.
foreach ($db_sub as $data=>$key){
$query = "where document.category = ".$data." or where document.sub_category in ('".join(", ", $key)."')";
}
Now you shouldn't get array to string conversion error.
Use this example to create the required SQL query:
$whereClause = [];
$params = [];
foreach ($db_sub as $data => $key){
if (!is_array($key)) $key = [$key];
$whereClause[] = '(documents.category = ? AND documents.sub_category IN (?' . str_repeat(', ?', count($key) - 1) . '))';
$params[] = $data;
$params = array_merge($params, $key);
}
$whereClause = !empty($whereClause) ? 'WHERE ' . implode(' OR ', $whereClause) : '';
$query = "SELECT * FROM documents $whereClause";
$sth = $pdo->prepare($query);
$sth->execute($params);
$result = $sth->fetchAll();
Here variable $pdo is a PDO object
Related
I want to make a dynamic WHERE clause to find posts by multiple posters. This is my code so far.
$in = join(',', array_fill(0, count($myArray), "?"));
$query = "SELECT * FROM posts WHERE poster IN ($in)";
$statement = $conn->prepare($query);
$statement->bind_param(str_repeat("s", count($myArray)), ...$myArray);
$statement->execute();
$result = $statement->get_result();
The above code is working but only for the very first person in my array. How will I be able to get the posts from every person listed in the array?
Build up a string and append it to $query using a foreach loop
$where = "where poster IN ( "
foreach ($myArray as $value) {
$where = $where + "'" + $value + "'"
}
$where = $where + " )"
$sql = "select id from table_name ";
$result = mysql_query($sql);
$data = array();
while($row = mysql_fetch_assoc($result))
{
$data[] = $row[id];
}
/* $data contains id's fetched from sql query from db.now i want to pass this id's(array of values) in $data array one by one to below select query in where condition and obtain desired result for each id.My question is how to pass an array of values to the below select statement I dont know how to do this.Any help is greatly appreciated.*/
$query = "select * from table where id1 = $data[] ";
$query = "select * from table where `id1` in (" . implode(', ', $data) . ")";
You should use the cross database function in Moodle called get_in_or_equal()
list($where, $params) = $DB->get_in_or_equal($data, SQL_PARAMS_NAMED);
$sql = "SELECT *
FROM {table}
WHERE $id {$where}"
$records = $DB->get_records_sql($sql, $params);
You can use the IN clause.
When you are totally sure you only have numeric values in your $data array. You can do the following:
$query = "select * from table where id1 IN(" . implode(',', $data) . ")";
You can use this:
$comma_separated = implode(",", $data);
if ($comma_separated != "")
$query = "select * from table where id1 IN($comma_separated)";
Given the following code
<?php
$values = array('Foo' =>'Foo' ,'Bar' =>'Bar' );
$separated = "'" . implode("','", $values)."'";
$sql = 'SELECT NAME,AGE FROM CATS WHERE TITLE IN(' .$separated.')' ;
print_r($sql);
produces:
SELECT NAME,AGE FROM CATS WHERE TITLE IN('Foo','Bar')
Is there anything I need to be aware of about SQL injection using this type of query builder? If so, what is an attack that can occur?
The only rule of SQL security:
NO value should be added to a query directly, but via placeholder only
So, you have to use a library that supports placeholders.
Assuming your database is mysql, the best choice would be safemysql, which will let you have as simple code as this:
$sql = 'SELECT NAME,AGE FROM CATS WHERE TITLE IN(?a)';
$data = $db->getArr($sql, $values);
print_r($data);
or you can use PDO, but it will take you a lot more trouble
You should never use any variables in queries no matter where they come from. A solution for PDO and parameterized queries will be to add placeholders to the query.
I do it something like this:
function getPlaceholders ($array) {
return !empty($array)
? implode(',', array_fill(0, count($array), '?'))
: null;
}
$userIds = array(1,2,3,4);
$sql = 'SELECT FROM users WHERE id IN (' . $this->getPlaceholders($userIds) . ')';
$result = pdo_query($sql, $userIds);
Normally you would have this in a OOP-format.
$userIds = array(1,2,3,4);
$sql = 'SELECT FROM users WHERE id IN (' . $this->getPlaceholders($userIds) . ')';
$result = $this->db->query($sql, $userIds);
// common file which is extended
public function getPlaceholders ($array) {
return !empty($array)
? implode(',', array_fill(0, count($array), '?'))
: null;
}
This will generate a query like:
SELECT FROM users WHERE id IN (?,?,?,?)
When you need to do something like this:
SELECT * FROM userinfo WHERE id in (18,2,6,4,5)
And the id array comes from another query like:
$ids = $conn->fetchAll('SELECT origin from action WHERE url = "'.$url.'" AND SUBSTRING(origin,1,3)<>"pct" GROUP BY origin');
If I need to parse the array in order to give the right format to the query id do:
$norm_ids = '(';
foreach ($ids as $ids) {
$norm_ids .= $ids['origin'] .',';
}
$norm_ids = substr_replace($norm_ids ,"",-1) .')';
That outputs the ids like: (id1,id2,id3,id.......), so the I'll just: FROM userinfo WHERE id in ". $norm_ids;
But seems to ugly to me, is there a way to do this better?
You could do:
$idStr = rtrim(str_repeat('?,', count($ids), ',');
$query = 'SELECT * FROM userinfo WHERE id in (' . $idStr . ')';
and then use prepare():
$conn = $db->prepare($query);
$conn->execute($ids);
$res = $conn->fetchAll(...);
SELECT * FROM user_info WHERE id IN (SELECT origin from action ......) ....
Do you need the id's separate or can you combine them into 1 query?
perhaps something like:
SELECT * FROM userinfo WHERE id in (SELECT origin from action WHERE url = "'.$url.'" AND SUBSTRING(origin,1,3)<>"pct" GROUP BY origin');
this way you let the sql server do the work.
When i am faced with such situations, i use trim
$norm_ids_str = '';
foreach ($ids as $ids) {
$norm_ids_str .= $ids['origin'] .',';
}
$norm_ids = '(' . trim($norm_ids_str, ',') . ')';
I want to using result of query to another query with IN():
foreach($result as $key=>$value){
$id .= $value['id'];}
$sql2 = 'SELECT * FROM table where id IN($id)';
but the $id must be in 'id1, id2, id3' format. With $id .= $value['quiz_id'].' , ';
there is one comma after last id. How can I convert $id value to 'id1, id2, id3'.
Thanks in advance
Use an array:
$ids = array();
foreach($result as $key=>$value){
$ids[] = $value['id'];}
if (count($ids) > 0) // to avoid mySQL error on empty array
{
$ids_string = implode(",", $ids);
$sql2 = 'SELECT * FROM table where id IN($ids_string)';
}
foreach($result as $key=>$value){
$idArr[] = $value['id']
}
$idStr = implode(',', $idArr);
$sql2 = 'SELECT * FROM table where id IN($idStr)';
This will give you a comma separated string of ids that you can use in your IN() query.
Hope that helps