Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+1 vote
258 views
in Q2A Core by

When executing a query with IN(#)

            $eventsconsidered = '"student_reserved", "student_paid", "tutor_accepted"'';

            $eventlogs = qa_db_read_all_assoc(
                                qa_db_query_sub('SELECT datetime, userid, eventid, eventname, params
                                                    FROM `^booking_log`
                                                    WHERE eventid = #
                                                    AND eventname IN(#)
                                                ;', $eventid, $eventsconsidered)
                                            );

it does not work.

When putting the string directly instead of the "#" it works.

What do I have to pass then?

Q2A version: 1.7.3
by
+1 Thanks for asking this question. I had the same issue few times ago but was busy so overlooked and didn't even realized to post here (so bad). Thanks once again...!

1 Answer

+3 votes
by
selected by
 
Best answer
The qa_db_query_sub function is for escaping untrusted user input. But it only accepts single parameters.

So what's happening is it's escaping your list of strings and looking for something that matches the whole string as one, not each of the 3 strings.

If the strings are completely defined by you then it's perfectly safe to put them directly into the query.
by
So I would directly use:

    AND eventname IN('.$eventsconsidered.')
by
Yes, as long as $eventsconsidered is specified by you, and not user input, it's fine to do that.
by
+1 @Scott, Thanks for explaining the issue. I had the same issue. It's clear now..
...