This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
I have a situation where I'd like to add a list of names in an array and use it in an SQL query.
How I do it:
$names = implode(',', $names);
$sql = "DELETE FROM product WHERE name NOT IN ($names)";
This works ok if I use id (but I can't do that here). Problem is - name can have a comma in it (i.e. - benchpress rack, blue
) and that breaks this query. Is there a way to bypass this issue?
</div>