XF 2.2 Example to insert into database

There's no risk of injection as the values are quoted, no. Of course it's worth validating any input is roughly what you'd expect (an array of integers) but that's true of prepared statements too.
 
PHP:
// fetch row using prepared statements
$ids = array(1,2,3,4,5,6);
$row = $db->fetchRow(
    'SELECT some_column
        FROM xf_some_table
        WHERE id in (?)',
    [implode(',',$ids)]
);

Will return nothing.
I'm curious about why this doesn't work (haven't managed to try it yet though) - is there an easy explanation?
 
It's just not how prepared statements are evaluated. That query searches for a row with a single ID matching all of 1,2,3,4,5,6.
 
I'm curious about why this doesn't work (haven't managed to try it yet though) - is there an easy explanation?
Internally you would end up with a query that would be along the lines of:
SQL:
SELECT some_column
FROM xf_some_table
WHERE id in ("1,2,3,4,5,6")

The result of your implode function is escaped/quoted (which isn't going to work as intended).
 
Back
Top Bottom