PDO bind array to Where IN [duplicate] - php

This question already has answers here:
PHP - Using PDO with IN clause array
(9 answers)
Closed 9 months ago.
I want to bind a array of Strings to the WHERE IN part of a SQL command, which I want to run afterwards on a SQL Server. The problem is probably that I try to bind an array of Strings and not an array of integers.
$totalCount =
"SELECT referral, COUNT(username) AS cnt FROM accounts
WHERE referral IN ($refIdsPartial) GROUP BY referral";
$ps_totalCounts = $dbh->prepare($totalCount);
$ps_totalCounts->execute();
//loop over total counts
foreach($ps_totalCounts as $row){
echo "Test<br>";
}
I echoed $refIdsPartial for you, so you have an idea what this is:
54469c27c687b332339627,54469ba0dec3e703865612,54469c77945c7091266617
Its just an imploded array of strings/varchars.
I tested the SQL command with my Managementstudio and I can ensure that this SQL command works, as long das I use the quote signs for each String/Varchar. Example:
SELECT referral, COUNT(username) AS cnt FROM accounts
WHERE referral IN ('54469c27c687b332339627','54469ba0dec3e703865612') GROUP BY referral
My problem:
In the code above it never goes into the foreach, so the result of the Query seems to be empty. What is wrong there (Ofcourse I tested only queries which should have results)?


You could use some string manipulation.
You can count the number of ? you'd need by using str_repeat("?", count(explode(",", $refIdsPartial))). This will create your placeholders.
$totalCount =
"SELECT referral, COUNT(username) AS cnt FROM accounts
WHERE referral IN (". str_repeat("?,", count(explode(",", $refIdsPartial))-1) . "?) GROUP BY referral";
Now that the placeholders are in place, you can explode the , from the string and execute
$ps_totalCounts->execute( explode(",", $refIdsPartial) );


Here is the snippet I use when trying to achieve an IN statement with an array.
This works dynamically, so whether you have an array of 2 or 200 it should execute as expected.
$ids = array(1,2,3);
$in = str_repeat('?,', count($ids) - 1) . '?';
$sql = "SELECT * FROM table WHERE column IN ($in)";
$stm = $db->prepare($sql);
$stm->execute($ids);
$data = $stm->fetchAll();
Your code will look like so:
$refIdsPartial = array('54469c27c687b332339627','54469ba0dec3e703865612','54469c77945c7091266617');
$in = str_repeat('?,', count($refIdsPartial ) - 1) . '?';
$totalCount = "SELECT referral, COUNT(username) AS cnt FROM accounts WHERE referral IN ($in) GROUP BY referral";
$ps_totalCounts = $dbh->prepare($totalCount);
$ps_totalCounts->execute();
//loop over total counts
foreach($ps_totalCounts as $row)
{
echo "Test<br>";
}


I faced similar problem with quite a big array to bind. Instead of skipping binding and injecting whole array directly to query or making workarounds with dynamically generating multiple unique placeholders to bind each record of array, I went for using find_in_set mysql function. Read more here.
In your case it would be:
$totalCount =
"SELECT referral, COUNT(username) AS cnt FROM accounts
WHERE find_in_set(referral,$refIdsPartial) GROUP BY referral";

Related

How do I use a variable in the WHERE condition of a MySQL query using a php variable? [duplicate]

This question already has answers here:
How to insert values in a PHP array to a MySQL table?
(2 answers)
Closed 5 years ago.
I'm using PHP session variable to track character ID's between two tables, characters and character_data_store.
The session ID definitely has the correct ID as I have had to print its value before it goes into the mySQL query.
For testing I selected a user I knew had a rapsheet and used
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.`key` = 'RapSheet'
AND character_data_store.character_id = '216'";
Obviously I can't use this for all users as I need to confirm the right one has been selected so thats where the session variable comes in.
I've tried using:
$correctPlayer = $_SESSION['selpid'];
echo $correctPlayer; #confirm it's the right id and then remove
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.'key' = 'RapSheet'
AND character_data_store.character_id = '$correctPlayer'";
I did some searching on SO and I found that int's need to have double quotes around them not single quotes, I tried that and had no luck but someone else suggested putting the session ID in exactly which I tried next:
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.'key' = 'RapSheet'
AND character_data_store.character_id = {$_SESSION['selpid']}";
Each time I do this I get mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given which SO tells me is because this operation results to false, I assume because it's not accepting the playerID from selpid or $correctPlayer?
It definitely works with the testing user where the playerID is inserted directly into the query. But I can't think of a way to do that since I need to match the playerID from table "characters" where the search is done against their first and last name and then pull the rapsheet data against the same playerID in table "character_data_store".
How do I use a variable in the WHERE condition of a MySQL query using a php variable?

You have obvious error in your code. You are missing quotes in {$_SESSION['selpid']} and you are using quotes in column name. Your query should be
$usersql = "SELECT * FROM character_data_store WHERE character_data_store.`key` = 'RapSheet' AND character_data_store.character_id = '{$_SESSION['selpid']}'";
You should not use quotes in column name, instead use backquotes(`) if you really need. I recommend prepared statements.

There are multiple ways to do this. A naive way to do this would be-
$usersql = "SELECT * FROM character_data_store WHERE character_data_store.'key' = 'RapSheet' AND character_data_store.character_id = ".$correctPlayer;
But to avoid sql injections I would recommend you use bindparam function to bind paramaters in a statement.
$sql="SELECT * FROM character_data_store WHERE character_data_store.'key' = 'RapSheet' AND character_data_store.character_id = ?";
if($stmt = $dbh->prepare($sql)){
$stmt->bindParam(1, $correctPlayer, PDO::PARAM_STR);
$ql = $stmt->execute() or die("ERROR: " . implode(":", $dbh->errorInfo()));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$result['data'] = $row;

mysql and php problems to return array.

I am having a problem returning a JSON array after trying to do a query where I want the query to return the first name, last name , and email after giving it numerous ids. How would I go about returning an array with rows including the above parameters after giving it ids. here is what I have
This works :
$qry = "SELECT ALL $mysql_database.$patientsTable.Users_idUser FROM $mysql_database.$patientsTable WHERE doctorsTable_id_doctorsTable=$qr";
$res = mysql_query($qry,$connect) or die(mysql_error());
then this is what I am working on where it is not working :
$arr_length = count($arr);
for($i=1;$i<=$arr_length;$i++)
{
$integerIDs = json_decode('[' .json_encode($arr[$i]['Users_idUser']) . ']', true);
$q = "SELECT firstName,lastName,email from $mysql_database.$UsersTable WHERE idUser='$integerIDs[$i]'";
$res1 = mysql_query($q,$connect) or die(mysql_error());
}
I want to for loop to return the above question but i am having problem with this.

You may do this with one query using JOIN expression as follow:
SELECT firstName,
lastName,
email
FROM $mysql_database.$UsersTable u
INNER JOIN $mysql_database.$patientsTable p ON p.Users_idUser = u.idUser
WHERE p.doctorsTable_id_doctorsTable=$qr
However, I would suggest you using PDO abstraction over mysql_* functions and PHP variables as parameters to communicate with database as more reliable and comprehensive approach.

Dynamic PDO parameter binding issue with WHERE clause

I have a search form where users can enter a few pieces of information to search for records in the database. Due to the fact that some of the fields can be left blank, I am dynamically creating the WHERE clause of the query as well as dynamically binding the PDO parameters. Everything works great if the user only fills out 1 field in the search form but if more than 1 field is used then an empty array is returned. Here is my code.
if(count($_POST)>0)
{
//Remove any key that has no value
$data = array_filter($_POST);
//Define array to hold the pieces of the where clause
$where = array();
//loop each of the variable to build the query
foreach($data as $key=>$value)
{
$key = mysql_real_escape_string($key);
//Push values to array
array_push($where, "$key=:$key");
}
//Create the select query
$query = "SELECT application_ID,
student_last_name,
student_first_name,
s.school_name,
DATE_FORMAT(submission_datetime, '%m/%d/%Y %h:%i:%s %p') AS submission_datetime,
aps.name
FROM application a
LEFT JOIN application_status aps ON(aps.status_ID = a.application_status_ID)
LEFT JOIN schools s ON(s.school_ID = a.school_choice)";
//As long as criteria was selected in the search form then add the where clause to the query with user's search criteria
if(!empty($where))
{
$query .= "WHERE ".implode(" AND ", $where);
}
//Add ORDER BY clause to the query
$query .= " ORDER BY application_ID";
$stmt = $conn->prepare($query);
//loop each of the variables to bind parameters
foreach($data as $key=>$value)
{
$value = mysql_real_escape_string($value);
$stmt->bindparam(':'.$key, $value);
}
$stmt->execute();
$result = $stmt->fetchall(PDO::FETCH_ASSOC);
}
When I echo the query everything looks fine and even returns results when run from PHPMyAdmin. Here is the query.
SELECT application_ID,
student_last_name,
student_first_name,
s.school_name,
DATE_FORMAT(submission_datetime, '%m/%d/%Y %h:%i:%s %p') AS submission_datetime,
aps.name
FROM application a
LEFT JOIN application_status aps ON(aps.status_ID = a.application_status_ID)
LEFT JOIN schools s ON(s.school_ID = a.school_choice)
WHERE school_choice=:school_choice AND status_ID=:status_ID
ORDER BY application_ID ASC
When I print_r I get an empty array.
Thanks for any help you can provide.

When you iterate through an array to bind values to the PDO statement you should use bindValue instead of bindParam.
When you say $stmt->bindparam(':'.$key, $value), the query will use the value of the variable $value as it is at the time of the query execution. Value of $value will be the last element of the array.
http://php.net/manual/en/pdostatement.bindvalue.php
I hope this helps.

You are not supposed to use mysql_real_escape_string() with prepared statements. And in fact, this function will not work if you don't have a mysql_connect() initialized, which you don't.
That must be why it all is failing, your calls to mysql_real_escape_string() are returning FALSE for everything.
Also, what makes you think array keys coming from $_POST are safe to be used in your SQL query? You are taking a serious risk of SQL injection here, don't ever do that.

MySQL update multiple rows via PHP

I have to update the same value of multiple rows in a table and i would like to avoid multiple mysql_query using a foreach loop that scan every value of an array.
I try to explain using an example.
This is the solution of the problem using a foreach loop
$array=array(1,2,3);
foreach($array as $val){
$sql = "UPDATE mytable SET val_to_update = XX WHERE id = $val";
mysql_query($sql);
}
I didn't like to start hammering database with a crazy number of queries, because the number of element of the array is not fixed, and can also be large.
I have considered using the IN clause of SQL language but without knowing the number of parameters can not seem to find a solution.
Thinked at something like this, but I do not know if it is achievable:
$sql= "UPDATE Illustration SET polyptychID = $id_polyptych WHERE illustrationID IN (?,?,?);
and then bind all the parameters using a foreach loop for scan the array of parameters.
The problem, as I said, is that i don't know the number, so i can't place the right number of ? in sql query and, if I'm not mistaken, the number of occurrences of ? parameters must be the same as the binded parameters.
Anyone have solved a problem like this?

If you are sure, that the array is containing integers, why don't you do it like this:
$array=array(1,2,3);
if (sizeof($array) > 0 {
$sql = "UPDATE mytable SET val_to_update = XX WHERE id IN(".implode(',', $array).")";
mysql_query($sql);
}
If you want to use prepared statement you could create your sql using this code:
$array=array(1,2,3);
if (sizeof($array) > 0 {
$placeholders = array();
for($i=0; $i<sizeof($array); $i++) {
$placeholders[] = '?';
}
$sql = "UPDATE mytable SET val_to_update = XX WHERE id IN(".implode(',', $placeholders).")";
// .....
}
If the values in the $array exists in another table you could use something like this:
$sql = "UPDATE mytable SET val_to_update = XX WHERE id IN (SELECT id FROM another_table WHERE condition = 1)";

PDO binding values for MySQL IN statement [duplicate]

This question already has answers here:
Can I bind an array to an IN() condition in a PDO query?
(23 answers)
Closed 2 years ago.
I have an issue with PDO that I'd really like to get an answer for after being plagued by it for quite some time.
Take this example:
I am binding an array of ID's to a PDO statement for use in a MySQL IN statement.
The array would be say: $values = array(1,2,3,4,5,6,7,8);
The database-safe variable would be $products = implode(',' $values);
So, $products would then be a STRING with a value of: '1,2,3,4,5,6,7,8'
The statement would look like:
SELECT users.id
FROM users
JOIN products
ON products.user_id = users.id
WHERE products IN (:products)
Of course, $products would be bound to the statement as :products.
However, when the statement is compiled and values bound, it would actually look like this:
SELECT users.id
FROM users
JOIN products
ON products.user_id = users.id
WHERE products IN ('1,2,3,4,5,6,7,8')
The problem is it is executing everything inside of the IN statement as a single string, given that I've prepared it as comma-separated values to bind to the statement.
What I actually need is:
SELECT users.id
FROM users
JOIN products
ON products.user_id = users.id
WHERE products IN (1,2,3,4,5,6,7,8)
The only way I can actually do this is by placing the values within the string itself without binding them, however I know for certain there has to be an easier way to do this.

This is the same thing as was asked in this question: Can I bind an array to an IN() condition?
The answer there was that, for a variable sized list in the in clause, you'll need to construct the query yourself.
However, you can use the quoted, comma-separated list using find_in_set, though for large data sets, this would have considerable performance impact, since every value in the table has to be cast to a char type.
For example:
select users.id
from users
join products
on products.user_id = users.id
where find_in_set(cast(products.id as char), :products)
Or, as a third option, you could create a user defined function that splits the comma-separated list for you (cf. http://www.slickdev.com/2008/09/15/mysql-query-real-values-from-delimiter-separated-string-ids/). This is probably the best option of the three, especially if you have a lot of queries that rely on in(...) clauses.

A good way to handle this situation is to use str_pad to place a ? for every value in the SQL query. Then you can pass the array of values (in your case $values) as the argument to execute:
$sql = '
SELECT users.id
FROM users
JOIN products
ON products.user_id = users.id
WHERE products.id IN ('.str_pad('',count($values)*2-1,'?,').')
';
$sth = $dbh->prepare($sql);
$sth->execute($values);
$user_ids = $sth->fetchAll();
This way you get more benefit from using prepared statements rather than inserting the values directly into the SQL.
PS - The results will return duplicate user ids if the products with the given ids share user ids. If you only want unique user ids I suggest changing the first line of the query to SELECT DISTINCT users.id

The best prepared statement you could probably come up with in a situation like this is something resembling the following:
SELECT users.id
FROM users
JOIN products
ON products.user_id = users.id
WHERE products IN (?,?,?,?,?,?,?,?)
You would then loop through your values and bind them to the prepared statement making sure that there are the same number of question marks as values you are binding.

you need to provide same number of ?s in IN as the number of values in your $values array
this can be done easily by creating an array of ?s as
$in = join(',', array_fill(0, count($values), '?'));
and use this $in array in your IN clause
THis will dynamically provide you with tailor made array of ?s as per your changiing $values array

You can do so very easily.
If you have an array of values for your IN() statement
EG:
$test = array(1,2,3);
You can simply do
$test = array(1,2,3);
$values = count($test);
$criteria = sprintf("?%s", str_repeat(",?", ($values ? $values-1 : 0)));
//Returns ?,?,?
$sql = sprintf("DELETE FROM table where column NOT IN(%s)", $criteria);
//Returns DELETE FROM table where column NOT IN(?,?,?)
$pdo->sth = prepare($sql);
$pdo->sth->execute($test);

If the expression is based on user input without binding the values with bindValue(), experimental SQL might not be a great choice. But, you can make it safe by checking the syntax of the input with MySQL's REGEXP.
For example:
SELECT *
FROM table
WHERE id IN (3,156)
AND '3,156' REGEXP '^([[:digit:]]+,?)+$'

Here is an example of binding an unknown number of record columns to values for an insert.
public function insert($table, array $data)
{
$sql = "INSERT INTO $table (" . join(',', array_keys($data)) . ') VALUES ('
. str_repeat('?,', count($data) - 1). '?)';
if($sth = $this->db->prepare($sql))
{
$sth->execute(array_values($data));
return $this->db->lastInsertId();
}
}
$id = $db->insert('user', array('name' => 'Bob', 'email' => 'foo#example.com'));

Please try like this:
WHERE products IN(REPLACE(:products, '\'', ''))
Regards

Categories