I'm trying to take an array and implode it and than run it through a mysql query to search my database for matches. If there are matches, I wanna return the matching values. It keeps returning false and I'm not sure why. I did a vardump and can see the array is there, but doesn't seem to be getting passed to the mysql_query. If I manually put the array into the query it works no problem. Any ideas?
My Array (This comes from my Android App):
$refids = (jdu23764js84, 2746272jsjs7f, 39823874hbsjsk)
PHP script code:
public function searchList($refids) {
$refarray = array($refids);
$comma_separated = implode(',', $refarray);
$result = mysql_query("SELECT `ref_id` FROM `main` WHERE `ref_id` IN
({$comma_separated})");
if ($result == true){
$result = mysql_fetch_array($result);
return $result;
} else {
return false;
}
You've forgotten to quote the individual values inside your $refids, so you're building
... WHERE `ref_id` IN (jdu23764js84, 2746272jsjs7f, ...)
and MySQL is interpreting those as field names. In other words, you're suffering from an SQL injection attack vulnerability, and your utter lack of ANY error handling on the database code is preventing from seeing the errors mysql is trying to tell you about:
$csv = implode("','", $refarray);
^-^-- note the addition of the quotes:
$sql = "SELECT .... `ref_id` IN ('{$csv}')";
^------^--- again, note the quotes
This fixes the problem in the short term. In the long term, you need to read through http://bobby-tables.com and learn what it has to tell you.