could you please help me to prevent SQL injection in this case? I have this piece of code that works fine:
Code: Select all
$groups[] = "test1";
$groups[] = "test2";
$result = db_query("
SELECT user_email, email_group, email_notifications, email_notifications_default
FROM mantis_groups_view
WHERE group_name IN ("'" . implode("', '", $groups) . "'")
");
if (db_num_rows($result) > 0) {
foreach ($result as $row) {
...
}
}
Code: Select all
$groups[] = "test1";
$groups[] = "test2";
$parameters = join(', ', array_fill(0, count($groups), '?'));
$result = db_query("
SELECT user_email, email_group, email_notifications, email_notifications_default
FROM mantis_groups_view
WHERE group_name IN ({$parameters})
", ["'" . implode("', '", $groups) . "'"]);
if (db_num_rows($result) > 0) {
foreach ($result as $row) {
...
}
}
Code: Select all
APPLICATION ERROR #401
Database query failed. Error received from database was #0: for the query:
SELECT user_email, email_group, email_notifications, email_notifications_default
FROM mantis_groups_view
WHERE group_name IN (?, ?)
Previous non-fatal errors occurred. Page contents follow.
Input array has 1 params, does not match query: ' SELECT user_email, email_group, email_notifications, email_notifications_default FROM mantis_groups_view WHERE group_name IN (?, ?) '
Thank you.