mysql - Select Multiple Ids from a table

Question

I want to select some id's based on url string but with my code it displays only the first. If i write manual the id's it works great.

I have a url like this http://www.mydomain.com/myfile.php?theurl=1,2,3,4,5 (ids)

Now in the myfile.php i have my sql connection and:

$ids = $_GET['theurl']; (and i am getting 1,2,3,4,5)

if i use this:

$sql = "select * from info WHERE `id` IN (1,2,3,4,5)";
$slqtwo = mysql_query($sql);
while ($tc = mysql_fetch_assoc($slqtwo)) {
    echo $tc['a_name'];
    echo " - ";
}

I am Getting the correct results. Now if i use the code bellow it's not working:

$sql = "select * from info WHERE `id` IN ('$ids')";
$slqtwo = mysql_query($sql);
while ($tc = mysql_fetch_assoc($slqtwo)) {
    echo $tc['a_name'];
    echo " - ";
}

Any suggestions?

Answer 1

When you interpolate

"select * from info WHERE `id` IN ('$ids')"

with your IDs, you get:

"select * from info WHERE `id` IN ('1,2,3,4,5')"

...which treats your set of IDs as a single string instead of a set of integers.

Get rid of the single-quotes in the IN clause, like this:

"select * from info WHERE `id` IN ($ids)"

Also, don't forget that you need to check for SQL Injection attacks. Your code is currently very dangerous and at risk of serious data loss or access. Consider what might happen if someone calls your web page with the following URL and your code allowed them to execute multiple statements in a single query:

http://www.example.com/myfile.php?theurl=1);delete from info;--