Home » Php » How to use php array with sql IN operator?

How to use php array with sql IN operator?

Posted by: admin April 23, 2020 Leave a comment

Questions:

I have and array with two values and I want to use it with sql IN operator in select query.

Here is the structure of my table

id comp_id
1   2
2   3
3   1

I have an array $arr which have two values Array ( [0] => 1 [1] => 2 )

I want to fetch the record of comp_id 1 and comp_id 2. So I wrote the following query.

SELECT * from table Where comp_id IN ($arr)

But it does not return the results.

How to&Answers:

As you have plain integers can just do…

$sql = "SELECT * FROM table WHERE comp_id IN (".implode(',',$arr).")";

(as it keeps coming up, some additional information… )

If working with with strings (particularly untrusted) input, can do

$sql = "SELECT * FROM table WHERE comp_id IN 
        ('".implode("','",array_map('mysql_real_escape_string', $arr))."')";

but does not cope values like NULL. And will add quotes blindly around numeric values, which does not work if using strict mysql mode. https://dev.mysql.com/doc/refman/8.0/en/sql-mode.html#idm140082377917056
… ie ONLY use this if really working with strings (like VARCHAR), NOT numeric columns.

The Need to call something like mysql_real_escape_string is so that any quotes in the strings is properly dealt with! (as well as preventing SQL Injections!)


… if DO want to work with ‘untrusted‘ numbers, can use intval or floatval

$sql = "SELECT * FROM table WHERE comp_id IN (".implode(",",array_map('intval', $arr)).")";

to sanitise the input. (no quotes around the input.

Answer:

you need to convert the array into comma-separated string:

$condition = implode(', ', $arr);

And, additionally, you might want to escape the values first (if you are unsure about the input):

$condition = implode(', ', array_map('mysql_real_escape_string', $arr));

Answer:

$arr is a php array, to the sql server you need to send a string that will be parsed
you need to turn your array in a list like 1, 2, etc..

to do this you can use the function http://php.net/implode

so before running the query try

$arr = implode ( ', ', $arr);

Answer:

You need to implode your array with ‘,’ comma

$imploded_arr = implode(',', $arr);

SELECT * from table Where comp_id IN ($imploded_arr)

Answer:

you can only pass string to mysql as query, so try this

mysql_query("SELECT * FROM table WHERE comp_id IN (".implode(',',$arr).")");

Answer:

You’re mixing PHP and SQL – for the IN SQL operator, you need a format like:

SELECT * from table WHERE comp_id IN (1,2)

So to get that in PHP you need to do something like:

$sql = "SELECT * from table Where comp_id IN (".implode(',',$arr).")"

Bear in mind that this only works if the array comprises of integers. You have to escape each element if they are strings.

Answer:

All the people here are proposing the same thing but i got a warning in WordPress because of a simple error. You need to add commas to your imploded string. To be precise something like this.

$query = "SELECT *FROM table Where comp_id IN ( '" . implode( "', '", $sanitized_brands ) . "' )";

Hoping it helps someone like me. 🙂

Answer:

You need something like:

$sql = "SELECT * from table where comp_id in (".implode(',',$arr.")";

Answer:

You need to actually convert your $arr to a string. The simplest way with what you’re doing would be to use implode()

$query = 'SELECT * from table Where comp_id IN (' . implode(',', $arr) . ')';

Right now if you echo your query you’ll see that rather than the array being in the IN statement, it will just be the word “Array”

Answer:

You need to convert the array to a string for use in the query:

$list = implode(',', $arr);

Then it can be used in the IN clause:

SELECT * from table Where comp_id IN ($list)

Answer:

As per @barryhunter ‘s answer which works only on array that contains integer only:

$sql = "SELECT * from table Where comp_id IN (".implode(',',$arr).")";

I’ve made some tweaks to make it work for array of strings:

$sql = "SELECT * from table Where comp_id IN ('".implode("','",$arr)."')";

Answer:

There are some risks of SQL injection in a few of the previous answers. It might be fine if you are completely certain about $arr being sanitized (and will stay that way). But if you aren’t completely sure, you might want to mitigate such risk using $stmt->bindValue. Here is one way of doing it:

# PHP
$in_list = array();
for ($i = 0; $i < count($arr); $i++) {
    $key = 'in_param_' . i;
    $in_list[':' . $key] = array('id' => $arr[$i], 'param' => $key);
}
$keys = implode(', ', array_keys($in_list));

// Your SQL ...
$sql = "SELECT * FROM table where id IN ($keys)";


foreach ($in_list as $item) {
    $stmt->bindValue($item['param'], $item['id'], PDO::PARAM_INT);
}
$stmt = $this->getConnection()->prepare($sql)->execute();

Answer:

If your array is of Integers :

$searchStringVar = implode(",",$nameIntAryVar);
$query="SELECT * from table NameTbl WHERE idCol='$idVar' AND comp_id IN ($searchStringVar)";

If your array is of Strings :

$searchStringVar = implode("','",$nameStringAryVar);
$query="SELECT * from table NameTbl WHERE idCol='$idVar' AND comp_id IN ('$searchStringVar')";