Home/ Questions/Q 8939477
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T10:50:01+00:00

I have a multiselect field <select name=duration[] id=duration title=Duration multiple=multiple size=3> <option value=1>1 Months</option>

  • 0

I have a multiselect field 

<select name="duration[]" id="duration" title="Duration" multiple="multiple" size="3">
<option value="1">1 Months</option>
<option value="2">2 Months</option>
<option value="3">3 Months</option>
</select>

my php code implode multiple values i.e 123 as 1,2,3 and insert it in database. The problem is that the field is not a required field and when i leave it empty it give me error (Invalid arguments passed)

My php code below

$duration = array();
$duration = $_POST['duration'];
if($duration)
   {
   foreach($duration as $value)
   {
   $months[] = $value;
   }
}
$sql = "SELECT * FROM tbl_courses WHERE duration IN (".implode($months, ',').") ";

thanks in advance

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The two problems you have is you try to implode on user input which may not be an array, and your code is vulnerable to SQL Injection.

    To address those you should first check if it’s an array with is_array(), then check if it has any elements with count(), then finally implode but use array_map() to filter the values to prevent SQL Injection. This will not only prevent SQL Injection but will prevent syntax errors in your query because strings must be quoted in an IN clause.

    function getInt($i) {
    return (int)$i;
}

$inClause = '';

if(isset($_POST['duration']) && is_array($_POST['duration']) && count($_POST['duration']) > 0)
{
    $inClause = 'WHERE ';
    $inClause .= implode(', ', array_map('getInt', $_POST['duration']));
}

$sql = "SELECT * FROM tbl_courses $inClause";
    • 0