Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

PHP's PDO is a great way to access databases and works as expected on the most part, that is until you come to the IN() operator. Some peculiarities begin to emerge there as I've discovered recently when updating code for my travelblog.ws project.

Below is the kind of code I was running to execute a SQL statement and get back some results. Not showing the creation of the database connection ($dbConn) for brevity. The code is quite straight forward.
$binds = ...; /* see specific examples below */
$sql = ...; /* see specific examples below */
$statement = $dbConn->prepare($sql);
$results = $statement->execute($binds);
$data = $statement->fetchAll(\PDO::FETCH_OBJ);

The IN() clause is actually very well documented in the PDOStatement API. It specifically states how it does not work:
Multiple values cannot be bound to a single parameter; for example, it is not allowed to bind two values to a single named parameter in an IN() clause.

So what does that mean? Well let's see. The following two bits of code produce the same results.
$binds = array('id' => '0f841cb12dc75');
$sql = 'SELECT id FROM posts WHERE id = :id';

$binds = array('id' => '0f841cb12dc75');
$sql = 'SELECT id FROM posts WHERE id IN (:id)';

That's not surprising a single bind parameter for IN() and the equals (=) operator will produce identical results (print_r() output below).

When trying to combine multiple IDs into a single bind parameter for IN() such as both of the two examples below...
$binds = array('id' => '0f841cb12dc75, 33a384024f785');
$sql = 'SELECT id FROM posts WHERE id IN (:id)';

$binds = array('id' => "'0f841cb12dc75', '33a384024f785'");
$sql = 'SELECT id FROM posts WHERE id IN (:id)';

Gives no results. That's due to not being able to bind multiple values to a single bind parameter as in the PDOStatement documentation mentioned above.

However the following monstrosity works...
$binds = array('id' => "'0f841cb12dc75', '33a384024f785'");
$sql = 'SELECT id FROM posts WHERE id IN (' . $binds['id'] . ')';

The above code of course doesn't use a bind parameter, just string concatenation to build up the SQL statement. Not surprisingly, both of the records are returned.

So what do you do if you want to have multiple bound values for the IN() operators? There are several options - either use the last approach by concatenating values into a string, which will expose you to SQL injection attacks and potential poor performance. You can use multiple bind parameters, one for each value you want to bind e.g. 'IN(:val1, :val2, val3)'. You could also convert the IN() to multiple OR clauses inside the SQL.

Which option is picked depends on the rest of your code. In my case I went for concatenation of the SQL string because it was the quickest to do without major refactoring and I didn't have to worry about SQL injection since all of my values were coming from other SQL query results first.


Hope you found this post useful...

...so please read on! I love writing articles that provide beneficial information, tips and examples to my readers. All information on my blog is provided free of charge and I encourage you to share it as you wish. There is a small favour I ask in return however - engage in comments below, provide feedback, and if you see mistakes let me know.

If you want to show additional support and help me pay for web hosting and domain name registration, donations, no matter how small, are always welcome!

Use of any information contained in this blog post/article is subject to this disclaimer.
comments powered by Disqus
Other posts you may like...