MySQL where in (array) [duplicate]

Question

This question already has answers here:

Can I bind an array to an IN() condition in a PDO query? (22 answers)

Reference — frequently asked questions about PDO (3 answers)

Closed 8 years ago.

function delete_group($db) {
    $ids = Parameters::get('ids');
    $ids = implode(',', $ids); // now a string like '5,6,7'.
    add_to_log($ids);
    try {
        $stmt = $db->prepare("DELETE FROM mytable WHERE id IN (:ids)");
        $stmt->bindParam(':ids', $ids, PDO::PARAM_STR);
        $stmt->execute();
        response('success', 'success', NULL);
    }
    catch (PDOException $e) {
        response('error', 'Delete group failed.', NULL);
    }
}

This code doesn't work: only the first row is deleted. But if I do

$stmt = $db->prepare("DELETE FROM mytable WHERE id IN ($ids)");

instead (just insert the string), it works, though the code has the SQL injection security issue. How to make it work and keep secured?

Answer 1

$ids = Parameters::get('ids');
$ids = array_map('intval', $ids);
$ids = implode(',', $ids);

Now you don't have to worry about injection.