1

Column state belongs to table2 and consists of the following varchars: "AL","AK",.. In my php code I have the following String: $states="AL,AK,AZ,IL"; I tried to use it in mySQL query in the following way:

$query = SELECT * FROM 'table2' WHERE  'state' IN('$states');

It does not show any results... What is the correct syntax for those apostrophes?

Improve this question
2
  • Be careful when putting data directly into a query. Make sure that those state abbreviations are coming straight from your code, and that you don't use this technique with data that must be escaped. Commented May 12, 2013 at 2:27
  • As easier alternative (in combination with bound params) you can use FIND_IN_SET() instead of the IN clause. Commented May 12, 2013 at 2:30

3 Answers 3

Reset to default
7

The reason why it is not working is because:

  • values in the IN statement is not wrap with single quote
  • column name and table names are wrap with single quotes when it shouldn't be because they are identifiers not string literals

Try this,

$individualStates = explode(",", $states);
$newState = "'" . implode("','", $individualStates) . "'";
$query = "SELECT * FROM table2 WHERE state IN($newState)";

when parsed, the output of the statement is,

SELECT * FROM table2 WHERE state IN('AL','AK','AZ','IL')

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

@JW웃, with empty array you will get empty string.
@sectus then with empty string, you'll get no result. (expected because the array is empty)
@JW웃, if you have no empty string in your DB. : )
@JW웃: And I think something should be said here regarding SQL escaping.
5

This:

$states_in = "'" . implode("','", $individualStates) . "'";

Is bad. You're opening yourself to SQL injection. Instead, do this:

$states = explode(',', $states);
$states_in = array_map(array($instancePDO, 'quote'), $states);
$states_in = implode(',', $states_in);

If you prefer to use prepared statements instead, this will give you the placeholder string:

$states_placeholder = implode(',', array_fill(0, count($individualStates), '?'));
Improve this answer

1 Comment

Thank You fro answer. Do you mean XSS? I use only <select> tags...So that must exclude possibility of any injection. I do not use <input> Or is there still possibility for injection?‎
3 
$states = explode(',', $states);
$states = array_map(function($value){return "'$value'";}, $states);
$query = "SELECT * FROM `table2` WHERE  `state` IN(".implode(',', $states).")";

But better to use prepared statement. Read relative question.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.