I would like to convert an array if IDs, into a string of comma separated values, to use in a MySQL UPDATE query. How would I do this?
just don't forget to check that the array isn't empty first - otherwise your SQL will look like "WHERE `id` IN ()" which is an error.
nickf
2008-11-18 02:50:29
This is a dangerous answer given that the stated use of the string is in an SQL statement. See troelskn's answer which demonstrates how you can escape all the array elements.
Paul Dixon
2008-11-18 10:46:12
We don't know if he didn't get the data already sanitized. But it's true that somebody asking something that simple may need some advices on code security too ;-)
e-satis
2008-11-18 10:53:40
Read the OP comment. I only answered the question, no need to make needless assumptions
Eran Galperin
2008-11-18 16:24:52
+2
A:
Make sure you pass the results through mysql_real_escape_string() before executing your query. This should prevent sql injection if you use implode() as others suggest.
And as nickf mentions, always check to make sure the array isn't empty or null first, and handle those cases. Since you are only dealing with int's, it wouldn't hurt to put some type checking in your assignments, otherwise you'll get sql errors if a string slips in somehow.
Dana the Sane
2008-11-18 04:08:08
+8
A:
Remember to escape values:
'"' . implode('","', array_map('mysql_real_escape_string', $data)) . '"'
troelskn
2008-11-18 09:26:59
+1
A:
Often this type of situation is people building an array from another table for use in a 2nd query.. If this is the case you can use a subquery to accomplish this.
Eg. UPDATE Table SET Column = Value WHERE ID IN ( SELECT ID FROM Table2 WHERE CONDITIONS )
DreamWerx
2008-11-18 10:41:46
A:
This is probably better if all ids should be numerical. Check that it consists of at least one integer with
$ids = array_filter($ids, 'is_int');
if (!$ids) {
//no valid ids returned.
die('or something');
}
$sql .= '(' . implode(',', $ids) . ')';
OIS
2008-12-08 08:27:00