Supose that $this->input->post('location') holds an array like this:
Array
(
[0] => 0
[1] => 1
[2] => 2
[3] => 3
[4] => 4
[5] => 5
[6] => 6
[7] => 7
)
Is this query "Sql Injection" safe?
$in = str_repeat('?,', count($this->input->post('location')) - 1) . '?';
$sql = "SELECT id
FROM location
WHERE id IN ($in)";
$locations = $this->db->query($sql, $this->input->post('location'));
Thanks!
Ase seen on http://www.codeigniter.com/user_guide/database/queries.html Yes it is safe to do like that. But You need only one '?'.
So the code should be like this:
$sql = "SELECT id
FROM location
WHERE id IN (?)";
$locations = $this->db->query($sql, $this->input->post('location'));