function delete_group($db) {
$ids = Parameters::get('ids');
$ids = implode(',', $ids); // now a string like '5,6,7'.
add_to_log($ids);
try {
$stmt = $db->prepare("DELETE FROM mytable WHERE id IN (:ids)");
$stmt->bindParam(':ids', $ids, PDO::PARAM_STR);
$stmt->execute();
response('success', 'success', NULL);
}
catch (PDOException $e) {
response('error', 'Delete group failed.', NULL);
}
}
This code doesn't work: only the first row is deleted. But if I do
$stmt = $db->prepare("DELETE FROM mytable WHERE id IN ($ids)");
instead (just insert the string), it works, though the code has the SQL injection security issue. How to make it work and keep secured?
$ids = Parameters::get('ids');
$ids = array_map('intval', $ids);
$ids = implode(',', $ids);
Now you don't have to worry about injection.