BEWARE! This answer contains a severeSQL injection vulnerability. Do NOT use the code samples as presented here, without making sure that any external input is sanitized.

$ids = join("','",$galleries);   $sql = "SELECT * FROM galleries WHERE id IN ('$ids')";

Using PDO:^[1]

$in = join(',', array_fill(0, count($ids), '?'));$select = <<<SQL    SELECT *    FROM galleries    WHERE id IN ($in);SQL;$statement = $pdo->prepare($select);$statement->execute($ids);

Using MySQLi^[2]

$in = join(',', array_fill(0, count($ids), '?'));$select = <<<SQL    SELECT *    FROM galleries    WHERE id IN ($in);SQL;$statement = $mysqli->prepare($select);$statement->bind_param(str_repeat('i', count($ids)), ...$ids);$statement->execute();$result = $statement->get_result();

Explanation:

Use the SQLIN() operator to check if a value exists in a given list.

In general it looks like this:

expr IN (value,...)

We can build an expression to place inside the() from our array. Note that there must be at least one value inside the parenthesis or MySQL will return an error; this equates to making sure that our input array has at least one value. To help prevent against SQL injection attacks, first generate a? for each input item to create a parameterized query. Here I assume that the array containing your ids is called$ids:

$in = join(',', array_fill(0, count($ids), '?'));$select = <<<SQL    SELECT *    FROM galleries    WHERE id IN ($in);SQL;

Given an input array of three items$select will look like:

SELECT *FROM galleriesWHERE id IN (?, ?, ?)

Again note that there is a? for each item in the input array. Then we'll use PDO or MySQLi to prepare and execute the query as noted above.

Using theIN() operator with strings

It is easy to change between strings and integers because of the bound parameters. For PDO there is no change required; for MySQLi changestr_repeat('i', tostr_repeat('s', if you need to check strings.

^{[1]: I've omitted some error checking for brevity. You need to check for the usual errors for each database method (or set your DB driver to throw exceptions).}

^{[2]: Requires PHP 5.6 or higher. Again I've omitted some error checking for brevity.}

ints:

$query = "SELECT * FROM `$table` WHERE `$column` IN(".implode(',',$array).")";

strings:

$query = "SELECT * FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";

Assuming you properly sanitize your inputs beforehand...

$matches = implode(',', $galleries);

Then just adjust your query:

SELECT *FROM galleriesWHERE id IN ( $matches )

Quote values appropriately depending on your dataset.

Use:

select id from galleries where id in (1, 2, 5);

A simplefor each loop will work.

Flavius/AvatarKava's way is better, but make sure that none of the array values contain commas.

AsFlavius Stef's answer, you can useintval() to make sure allid are int values:

$ids = join(',', array_map('intval', $galleries));  $sql = "SELECT * FROM galleries WHERE id IN ($ids)";

ForMySQLi with an escape function:

$ids = array_map(function($a) use($mysqli) {     return is_string($a) ? "'".$mysqli->real_escape_string($a)."'" : $a;  }, $ids);$ids = join(',', $ids);  $result = $mysqli->query("SELECT * FROM galleries WHERE id IN ($ids)");

For PDO with prepared statement:

$qmarks = implode(',', array_fill(0, count($ids), '?'));$sth = $dbh->prepare("SELECT * FROM galleries WHERE id IN ($qmarks)");$sth->execute($ids);

We should take care ofSQL injection vulnerabilities and anempty condition. I am going to handle both as below.

For a pure numeric array, use the appropriate type conversion vizintval orfloatval ordoubleval over each element. For string typesmysqli_real_escape_string() which may also be applied to numeric values if you wish.MySQL allows numbers as well as date variants as string.

To appropriately escape the values before passing to the query, create a function similar to:

function escape($string){    // Assuming $db is a link identifier returned by mysqli_connect() or mysqli_init()    return mysqli_real_escape_string($db, $string);}

Such a function would most likely be already available to you in your application, or maybe you've already created one.

Sanitize the string array like:

$values = array_map('escape', $gallaries);

A numeric array can be sanitized usingintval orfloatval ordoubleval instead as suitable:

$values = array_map('intval', $gallaries);

Then finally build the query condition

$where  = count($values) ? "`id` = '" . implode("' OR `id` = '", $values) . "'" : 0;

or

$where  = count($values) ? "`id` IN ('" . implode("', '", $values) . "')" : 0;

Since the array can also be empty sometimes, like$galleries = array(); we should therefore note thatIN () does not allow for an empty list. One can also useOR instead, but the problem remains. So the above check,count($values), is to ensure the same.

And add it to the final query:

$query  = 'SELECT * FROM `galleries` WHERE ' . $where;

TIP: If you want to show all records (no filtering) in case of an empty array instead of hiding all rows, simply replace0 with1 in the ternary's false part.

Safe way without PDO:

$ids = array_filter(array_unique(array_map('intval', (array)$ids)));if ($ids) {    $query = 'SELECT * FROM `galleries` WHERE `id` IN ('.implode(',', $ids).');';}

• (array)$ids Cast$ids variable to array
• array_map Transform all array values into integers
• array_unique Remove repeated values
• array_filter Remove zero values
• implode Join all values to IN selection

Safer.

$galleries = array(1,2,5);array_walk($galleries , 'intval');$ids = implode(',', $galleries);$sql = "SELECT * FROM galleries WHERE id IN ($ids)";

Col. Shrapnel'sSafeMySQL library for PHP provides type-hinted placeholders in its parametrised queries, and includes a couple of convenient placeholders for working with arrays. The?a placeholder expands out an array to a comma-separated list of escaped strings*.

For example:

$someArray = [1, 2, 5];$galleries = $db->getAll("SELECT * FROM galleries WHERE id IN (?a)", $someArray);

* Note that since MySQL performs automatic type coercion, it doesn't matter that SafeMySQL will convert the ids above to strings - you'll still get the correct result.

We can use this "WHERE id IN" clause if we filter the input array properly. Something like this:

$galleries = array();foreach ($_REQUEST['gallery_id'] as $key => $val) {    $galleries[$key] = filter_var($val, FILTER_SANITIZE_NUMBER_INT);}

Like the example below:

$galleryIds = implode(',', $galleries);

I.e. now you should safely use$query = "SELECT * FROM galleries WHERE id IN ({$galleryIds})";

You may have tabletexts(T_ID (int), T_TEXT (text)) and tabletest(id (int), var (varchar(255)))

Ininsert into test values (1, '1,2,3') ; the following will output rows from table texts whereT_ID IN (1,2,3):

SELECT * FROM `texts` WHERE (SELECT FIND_IN_SET( T_ID, ( SELECT var FROM test WHERE id =1 ) ) AS tm) >0

This way you can manage a simple n2m database relation without an extra table and using only SQL without the need to use PHP or some other programming language.

More an example:

$galleryIds = [1, '2', 'Vitruvian Man'];$ids = array_filter($galleryIds, function($n){return (is_numeric($n));});$ids = implode(', ', $ids);$sql = "SELECT * FROM galleries WHERE id IN ({$ids})";// output: 'SELECT * FROM galleries WHERE id IN (1, 2)'$statement = $pdo->prepare($sql);$statement->execute();

Besides using the IN query, you have two options to do so as in an IN query there is a risk of an SQL injection vulnerability. You can uselooping to get the exact data you want or you can use the query withOR case

1. SELECT *      FROM galleries WHERE id=1 or id=2 or id=5;2. $ids = array(1, 2, 5);   foreach ($ids as $id) {      $data[] = SELECT *                    FROM galleries WHERE id= $id;   }

Because the original question relates to an array of numbers and I am using an array of strings I couldn't make the given examples work.

I found that each string needed to be encapsulated in single quotes to work with theIN() function.

Here is my solution

foreach($status as $status_a) {        $status_sql[] = '\''.$status_a.'\'';    }    $status = implode(',',$status_sql);$sql = mysql_query("SELECT * FROM table WHERE id IN ($status)");

As you can see the first function wraps each array variable insingle quotes (\') and then implodes the array.

NOTE:$status does not have single quotes in the SQL statement.

There is probably a nicer way to add the quotes but this works.

Below is the method I have used, using PDO with named placeholders for other data. To overcome SQL injection I am filtering the array to accept only the values that are integers and rejecting all others.

$owner_id = 123;$galleries = array(1,2,5,'abc');$good_galleries = array_filter($chapter_arr, 'is_numeric');$sql = "SELECT * FROM galleries WHERE owner=:OWNER_ID AND id IN ($good_galleries)";$stmt = $dbh->prepare($sql);$stmt->execute(array(    "OWNER_ID" => $owner_id,));$data = $stmt->fetchAll(PDO::FETCH_ASSOC);