-2
Next, I am developing a fuel system, specifically in the part of filters for generating a custom report it returns me an IN('1,2,3') with simple quotes
It all starts in the form, in which I have a multiselect that when sent via POST it returns to me as follows:
array(3) { [0]=> string(2) "41" [1]=> string(2) "42" [2]=> string(2) "43" }
So I use a trait to process this data that is called treatSqlIn($data)
public function tratarSqlIn($dados)
{
$valor = implode(',', $dados);
return $valor;
}
returning:
string(8) "41,42,43"
and use it within the FPDF:
$motoristas = TratarDados::tratarSqlIn($_POST['motorista']);
Assim ela é enviada para a model:
$saida->setMotorista($motoristas);
O SQL na model é da seguinte forma:
$sql = "SELECT *, a.quantidade, a.data_hora FROM ".$objClass->tabela." a
INNER JOIN tbtanque b ON (b.id_tanque = a.id_tanque)
INNER JOIN tbmotorista c ON (c.id_motorista = a.id_motorista)
INNER JOIN tbveiculo d ON (d.id_veiculo = a.id_veiculo)
WHERE a.id_cliente = ".$_SESSION['id_cliente']."
AND a.id_tanque IN(:tanques) AND a.id_motorista IN(:motoristas) AND a.id_veiculo IN(:veiculos) AND
a.data_hora BETWEEN :data_inicial AND :data_final AND a.flag_excluido = 0 ORDER BY a.id_saida DESC";
$stmt = $pdo->prepare($sql);
$stmt->bindValue(':tanques', $objClass->getTanque(), \PDO::PARAM_STR);
$stmt->bindValue(':motoristas', $objClass->getMotorista(), \PDO::PARAM_STR);
$stmt->bindValue(':veiculos', $objClass->getVeiculo(), \PDO::PARAM_STR);
$stmt->bindValue(':data_inicial', $objClass->getDataInicial(), \PDO::PARAM_STR);
$stmt->bindValue(':data_final', $objClass->getDataFinal(), \PDO::PARAM_STR);
$stmt->execute();
$objResultado = $stmt->fetchAll(\PDO::FETCH_ASSOC);
return $objResultado;
Using before $stmt->execute()
$stmt->debugDumpParams();
exit;
Returns me like this, inside the IN( has simple quotes):
SELECT *, a.quantidade, a.data_hora FROM tbmov_saida a
INNER JOIN tbtanque b ON (b.id_tanque = a.id_tanque)
INNER JOIN tbmotorista c ON (c.id_motorista = a.id_motorista)
INNER JOIN tbveiculo d ON (d.id_veiculo = a.id_veiculo) WHERE a.id_cliente = 11
AND a.id_tanque IN('77,78')
AND a.id_motorista IN('41,42,43')
AND a.id_veiculo IN('1,2')
AND a.data_hora BETWEEN '2020-07-01 12:00:00' AND '2020-07-31 12:00:00'
AND a.flag_excluido = 0 ORDER BY a.id_saida DESC
What do I know: I know bindValue already inserts the escapes and it doesn’t work either because I tried it with this code in the trait
public function tratarSqlIn($dados) { $valor = implode(',', $dados);
$explode_seq = explode(',', $valor);
$n = array();
foreach ($explode_seq as $num){
$n[] = "'" . $num . "'";
}
$result = implode(" , ", $n);
return $result;
}
and it gets IN('\'2\',\'3\'')...
How to remove these simple Apas?
here is a number of solutions for this: https://stackoverflow.com/questions/14767530/php-using-pdo-with-in-clause-array
– novic
Didn’t help much.
– Thalles Rangel
You need to study more ... it didn’t help because you don’t want to be helped, but you want ready.
– novic
The concept of helping is very abstract for you to say this.
– Thalles Rangel
So, I reaffirm ... study further.
– novic
The problem is not to study, I already knew the reason and the solution was the following: IN(".implode(',', $objClass->getMotorista() ).") in every IN in sql, because the bindValue automatically inserts a string inside single quotes. Thank you for your cooperation.
– Thalles Rangel
Using PDO::PARAM_STR does just that... in this case you don’t need to use bindValue, it generates it manually! The source of the data is safe!
– Duda Gervásio