Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

emysql prepare statement breaks "in" operation #141

Open
jacktang opened this issue Jun 16, 2014 · 1 comment
Open

emysql prepare statement breaks "in" operation #141

jacktang opened this issue Jun 16, 2014 · 1 comment

Comments

@jacktang
Copy link

Here are results of normal sql statement and prepare statement, and the result is quite different.

 emysql:execute(pool, "select * from test where id in (1,2)", []).

the result contains exactly two records which id are 1 and 2.

 emysql:execute(pool, "select * from test where id in (?)", ["1,2"])

which returns only one record with id 1
@Tom9729
Copy link

Tom9729 commented Jan 2, 2015

For that to work as expected it would be SQL injection, no?

You need to use multiple binds with dynamic SQL or use FIND_IN_SET (http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_find-in-set).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jacktang @Tom9729