Igor's Blog

PHP's PDO is a great way to access databases and works as expected on the most part, that is until you come to the IN() operator. Some peculiarities begin to emerge there as I've discovered recently when updating code for my travelblog.ws project.

Below is the kind of code I was running to execute a SQL statement and get back some results. Not showing the creation of the database connection ($dbConn) for brevity. The code is quite straight forward.
 PHP
$binds = ...; /* see specific examples below */
$sql = ...; /* see specific examples below */
$statement = $dbConn->prepare($sql);
$results = $statement->execute($binds);
$data = $statement->fetchAll(\PDO::FETCH_OBJ);


The IN() clause is actually very well documented in the PDOStatement API. It specifically states how it does not work:
Multiple values cannot be bound to a single parameter; for example, it is not allowed to bind two values to a single named parameter in an IN() clause.


So what does that mean? Well let's see. The following two bits of code produce the same results.
 PHP
$binds = array('id' => '0f841cb12dc75');
$sql = 'SELECT id FROM posts WHERE id = :id';


..and
 PHP
$binds = array('id' => '0f841cb12dc75');
$sql = 'SELECT id FROM posts WHERE id IN (:id)';


That's not surprising a single bind parameter for IN() and the equals (=) operator will produce identical results (print_r() output below).
pdoinbind3.png




When trying to combine multiple IDs into a single bind parameter for IN() such as both of the two examples below...
 PHP
$binds = array('id' => '0f841cb12dc75, 33a384024f785');
$sql = 'SELECT id FROM posts WHERE id IN (:id)';

 PHP
$binds = array('id' => "'0f841cb12dc75', '33a384024f785'");
$sql = 'SELECT id FROM posts WHERE id IN (:id)';


Gives no results. That's due to not being able to bind multiple values to a single bind parameter as in the PDOStatement documentation mentioned above.
pdoinbind1.png


However the following monstrosity works...
 PHP
$binds = array('id' => "'0f841cb12dc75', '33a384024f785'");
$sql = 'SELECT id FROM posts WHERE id IN (' . $binds['id'] . ')';


The above code of course doesn't use a bind parameter, just string concatenation to build up the SQL statement. Not surprisingly, both of the records are returned.
pdoinbind2.png



So what do you do if you want to have multiple bound values for the IN() operators? There are several options - either use the last approach by concatenating values into a string, which will expose you to SQL injection attacks and potential poor performance. You can use multiple bind parameters, one for each value you want to bind e.g. 'IN(:val1, :val2, val3)'. You could also convert the IN() to multiple OR clauses inside the SQL.

Which option is picked depends on the rest of your code. In my case I went for concatenation of the SQL string because it was the quickest to do without major refactoring and I didn't have to worry about SQL injection since all of my values were coming from other SQL query results first.

-i

, , ,
About — I'm an enthusiastic software engineer and consultant interested in many fields including J2EE, programming, electronics, 3D printing, video games, wood working and gardening.
See my Resume for more information.
The views expressed in this blog are my own and not those of my employer.
comments powered by Disqus
My other posts you may like...
Programming, DIY, Games, Hacks, Tech and more.
Follow me on...
Current and Past Projects
See my Resume

Subscribe


RSS Feed

My Other Web Sites

Igor and Elise's Travels
Riverside Expressway Cam
300 George St Blogumentary

My Online Tools

UUID to OID Converter
Guru JSON-RPC Tester
Extrudifier Object Designer

Recent Blog Posts

WebLogic package-name element classpath generator script

Using Jersey 2.x as a shared library on WebLogic 12.1.2

Google DFP with AdSense fallback is causing infinite scroll pages to go haywire

Workaround for Mobile Safari scrollTop() not updating during scroll

Skipping execution of Maven plugins that do not have a native skip option

Unmarshalling an XML fragment representing a JAXB object without XmlRootElement

Injecting a ContainerRequestContext into a Jersey entity provider class

Obfuscating PHP source code with Maven and YAK Pro PO

Making use of corner shelves with easy to make slide out draws

Octotree breaks GitLab Issue Boards

Recent Galleries

Space Food - Chocolate Ice Cream with Chocolate Chips

Legeod Star Wars AT-DP kit

DIY spare parts computer build with a RAIDMAX Anura case

Fake 'Lepin' brand Lego packaging

Hardwood garden bench with clear resin void filler

Fixing a 3D printer extruder that stopped heating up

Easily increase disk space in a Lenovo Ideapad 100S 14" laptop with an M.2 SSD

Making a multi-piece 3D printed solder spool holder stand

DIY indoor apartment grow light wiring

Good Friday Electronics fun Easter Bunny LED PCB Kit IBEABU-01.0

Top Categories

Blogs I follow

Matt Moores Blog
Georgi's FlatPress Guide
Perplexing Permutations
The Security Sleuth

Friends

RAWS Parts Online
Alpha Dimensions Hosting
Kristensen Photography
Ilia Rogatchevski
Travelling Fairy

Blog Activity

Blog Activity
Follow me on... 
     
...or subscribe for updates!

Don't show this again