how to use find() with condition 'IN' and some security issue

I use this code th get some result by using find() function

$id = implode(',', (array)$id);

$post = MyPost::find("post_id IN (".$id.")");

Is this normal to use "IN" and I'm curious about is it has security issue like SQL Injection ?

Thanks



36.3k

Hey

Maybe It will sql injection , you must use binding paramaster see here http://docs.phalconphp.com/en/latest/reference/models.html#binding-parameters

Hi ! like this ?

$id = array(1,2,3);
$post = MyPost::find(array(
    "conditions" => "post_id IN (:id:)",
    "bind" => $id
    ));

or i have to do the same thing like... use implode() to make my array to string ?

Thanks

edited Jan '15

It not working now (pull request https://github.com/phalcon/cphalcon/pull/2990)

You can use something like this:

$id = implode(',', array_map('intval',(array)$id));

$post = MyPost::find("post_id IN (".$id.")");

Hi ! but it will return 0 when I input some characters , if i dont want the id with 0 and the result is what i want :O

Thanks!

It not working now (pull request https://github.com/phalcon/cphalcon/pull/2990)

You can use something like this:

```php $id = implode(',', array_map('intval',(array)$id));

$post = MyPost::find("post_id IN (".$id.")");

```