Why is this PDO query not working properly? $colors = $_GET[‘color’]; $colors = explode(‘

Question

0

Asked: June 10, 20262026-06-10T11:12:13+00:00 2026-06-10T11:12:13+00:00

Why is this PDO query not working properly? $colors = $_GET[‘color’]; $colors = explode(‘

0

Why is this PDO query not working properly?

$colors = $_GET['color'];
$colors = explode(' ', $colors);
$colors = implode(',',$colors);
$items = $con -> prepare("SELECT * FROM item_descr WHERE color_base1 IN (".$colors.")");
$items ->execute();
while($info = $items->fetch(PDO::FETCH_ASSOC)) 
{
echo $info['color_base1'];
}

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-10T11:12:14+00:00

You need to escape the $colors or you are subject to a SQL injection attack. There is a little-known PHP function array_fill that is GREAT for this:

$colors = explode(' ', $_GET['color']));
$parameters = join(', ', array_fill(0, count($colors), '?');
$items = $con->prepare("SELECT * FROM item_descr WHERE color_base1 IN ({$parameters})");
$items ->execute($colors);
while($info = $items->fetch(PDO::FETCH_ASSOC))  {
    echo $info['color_base1'];
}

It appears your problem is that your colors weren’t wrapped with quotes, but that problem goes away in my code because it uses bound parameters.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Why is this PDO query not working properly? $colors = $_GET[‘color’]; $colors = explode(‘

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply