DELETE IN with explode()
Good afternoon,
I have a form that submits an array of transaction IDs to
$_POST['transid'] so those transaction records can be deleted. I typically
use mysqli_real_escape_string to help prevent attacks, but I am not sure
how to go about it with an array. The following is my query:
$query = 'DELETE FROM TRANSACTIONS WHERE (transid) IN
("'.implode('","',$_POST[transid]).'")'
...which gives me something like this:
$query = 'DELETE FROM TRANSACTIONS WHERE (transid) IN
("123","124","138","145")'
This seems to be asking for trouble. How can I protect myself from
disaster (malicious or otherwise)? Is there an efficient way to sanitize
the array? Or should I go about this another way?
Any thoughts or guidance would be appreciated.
No comments:
Post a Comment