ansaurus

Question

Answer 1

+2 A:

The proper syntax would be

->prepare("SELECT blabla FROM foo WHERE id IN (?, ?, ?)")

for 3 items in that array, for example. You would then have to bind each of those items individually using bind_param().

If you don't have a size guarantee on the array, you'll have to write a couple helper functions to generate your SQL with the proper number of "?"'s and bind statements.

Marc W 2009-10-07 21:41:29

Indeed I do not know the size in advance. If I re-write the prepared statement for each iteration of the loop (to change the number of ?s), then it defeats the purpose of prepared statements.

nute 2009-10-07 22:03:56

I'm not quite sure what you want to accomplish in the loop. Will the values bound to the statement be changing each time? Are the _number_ of values bound changing? Are you executing an identical statement multiple times (don't know why you'd do this)?

Marc W 2009-10-07 22:08:28

the number of values IN(?,?,?) change each loop iteration sometimes it could be (1,2,3,4), or (1,2,3,4,5,6,7,8,9) ...

nute 2009-10-07 22:12:08

@nute. It may slightly defeat the speed advantage, but it still has the advantage of being safe from from malicious sql injection. You can always gain back the speed advantage of pre-preparing one statement per length-of-in clause.

Cheekysoft 2009-10-29 17:33:38

Answer 2

A:

I think I found the answer to my question:

->prepare("SELECT stuff FROM table_name WHERE id IN (?)");

$itemList = implode(',',$items);
$children->bind_param('s',$itemList);

Seems to be working fine when using a string with coma-separated values. I'm still checking if the results are really accurate ...

nute 2009-10-07 22:09:18

Hmm, that shouldn't be working. The prepared statement should wind up being `SELECT stuff FROM table_name WHERE id IN ('1, 2, 3, 4, 5')` in that situation, which shouldn't work as you expect...

ceejayoz 2009-10-07 23:41:24

No it won't work. Please don't use this code!

too much php 2009-10-08 07:30:52

However it does seem to work fine so far ...If you've got a better idea, please let me know!

nute 2009-10-08 20:02:43

Answer 3

A:

If you have a list of variables that differs in size every call that you wanto to bind to an IN-statement, the most simple way would be to generate the SQL string programatically and use a loop to bind the variables:

/**
 * @param  array  $values
 * @param  mysqli $db
 * @return mysqli_stmt
 */
function bindInValues(array $values, mysqli $db)
{
    $sql = sprintf('SELECT blabla FROM foo WHERE id IN (%s)',
        implode(', ', array_fill(0, count($values), '?'))
    );
    $stmt = $db->prepare($sql);
    foreach ($values as $value) {
        $stmt->bind_param('s', $value);
    }
    return $stmt;
}

If you like call_user_func_array you can use dynamic method invocation and go along without a loop.

/**
 * @param  array  $values
 * @param  mysqli $db
 * @return mysqli_stmt
 */
function bindInValues(array $values, mysqli $db)
{
    $sql = sprintf('SELECT blabla FROM foo WHERE id IN (%s)',
        implode(', ', array_fill(0, count($values), '?'))
    );
    $stmt = $db->prepare($sql);
    array_unshift($values, implode('', array_fill(0, count($values), 's')));
    call_user_func_array(array($stmt, 'bind_param'), $values);
    return $stmt;
}

Stefan Gehrig 2009-10-08 07:15:46

this of course means the use of Prepared Statements isn't really efficient anymore, since you're "preparing" at every iteration, instead of just once.Because I mean to send that SELECT statement many times in a row, with different number of params every time.

nute 2009-10-08 21:14:41

You're right - that's the inevitable consequence... But there is no other way around.

Stefan Gehrig 2009-10-08 21:20:14

If you're sending a different query (related to the SQL structure not the values) every time, you can skip the preparation step and directly build the SQL including the `IN` values.

Stefan Gehrig 2009-10-08 21:22:33

ansaurus

tags:

views:

answers:

php mysqli WHERE IN (?,?,? ...)

related questions