I'm probably missing something obvious but does anyone know how to pass an array of values for a particular parameter to a prepared statement?

I would like to:

$sql = 'SELECT * FROM whatever WHERE id IN (?)';
$stmt = $pdo->prepare($sql);

$ids = array(1,2,3);
$stmt->execute(array($ids));

But instead I have to quote each id individually and build a comma separated string and then insert the string directly into my sql statement. I can't even pass the string as a parameter because it would end up being quoted as well.

This seems to negate at least some of the value of prepared statements.

    You can't do this with prepared statements. It will only substitute a parameter for a single value per query.

    I recommend that you (carefully) build a dynamic SQL statement instead- ensure that all escaping is done appropriately (e.g. if they are ints, make sure they are)

    Mark

      Thanks. Hoping I was wrong. Sure it a big loophole.

        Write a Reply...