how to use find() with condition 'IN' and some security issue

I use this code th get some result by using find() function


$id = implode(',', (array)$id);

$post = MyPost::find("post_id IN (".$id.")");

Is this normal to use "IN" and I'm curious about is it has security issue like SQL Injection ?

Thanks



49.0k

Hey

Maybe It will sql injection , you must use binding paramaster see here http://docs.phalconphp.com/en/latest/reference/models.html#binding-parameters

Hi ! like this ?

$id = array(1,2,3);
$post = MyPost::find(array(
    "conditions" => "post_id IN (:id:)",
    "bind" => $id
    ));

or i have to do the same thing like... use implode() to make my array to string ?

Thanks

edited Jan '15

It not working now (pull request https://github.com/phalcon/cphalcon/pull/2990)

You can use something like this:

$id = implode(',', array_map('intval',(array)$id));

$post = MyPost::find("post_id IN (".$id.")");

Hi ! but it will return 0 when I input some characters , if i dont want the id with 0 and the result is what i want :O

Thanks!

It not working now (pull request https://github.com/phalcon/cphalcon/pull/2990)

You can use something like this:

$id = implode(',', array_map('intval',(array)$id));

$post = MyPost::find("post_id IN (".$id.")");


73
edited Feb '19
$ids = [1,2,3];
$post = MyPost::find([
    "conditions" => "post_id IN ({ids:array})",
    "bind" => ["ids" => $ids ],
    "bindTypes" => ["ids", \Phalcon\Db\Column::BIND_PARAM_INT]
]);