Suppose there is data obtained via GET

$objectIds = $_GET['ids];

and there is a sample for these $ objectIds

 $model->exec("select * from table_name where id IN(".$objectIds.")->getAll();

How to correctly process the received data from $ _GET, can somehow filter?

  • use prepared expressions with bound variables. This feature is provided by the PDO, MySQLi and other libraries extensions. - koks_rs
  • please, can you read more? mini primerchik if you can - Azik
  • the question is how to protect against sql injection or how to convert $ objectIds to the right format for the query? - koks_rs
  • I need to process exactly $ objectIds - Azik
  • what is meant by process? What do you have in $objectIds ? If there is a string like "1,2,3,4" then your example is working. Another thing if you need protection from fake requests. - koks_rs

1 answer 1

In this query, $objectIds should be a string in which the necessary id values ​​from the table_name table are specified, separated by commas. It all depends on what type of data is $objectIds . If it is an array, then you can convert it using the function implode(',',$objectIds);