Bug #118607 Providing multiple values for a single parameter, e.g. id IN (?)
Submitted: 8 Jul 18:58 Modified: 9 Jul 10:01
Reporter: Craig Francis Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Prepared statements Severity:S4 (Feature request)
Version:9.3.0 OS:Any
Assigned to: CPU Architecture:Any

[8 Jul 18:58] Craig Francis 
Description:
A common security issue (SQL Injection) is when a developer wants to use the IN Operator:

https://dev.mysql.com/doc/refman/8.4/en/comparison-operators.html#operator_in

Rather than using a Prepared Statement, they find it easy to do something dangerous like this:

  $sql .= 'WHERE id IN (' . implode(', ', $ids) . ')';

If the array of $ids comes from an un-trusted source (e.g. the query string in the web pages URL), then they have just created a security issue.

I've found this to be the most common source of SQL injection vulnerabilities, as it's harder (and less obvious) to write the code correctly; where they have to count the number of values they have, and then use "?" followed by 0 or more ", ?" in the SQL string, I've seen some complicated solutions to this, but I think the shortest/easiest is:

  $sql = 'WHERE id IN (' . substr(str_repeat(', ?', count($ids)), 2) . ')';

How to repeat:
N/A

Suggested fix:
It would be great if the developer could simply write:

  $sql .= 'WHERE id IN (?)';

And pass in an array of values for that 1 parameter, when it comes to executing the query.

Also, it would be useful if the array could be empty (which would basically evaluate to false), as both of the examples above cause a syntax error if the $ids array is empty.
[9 Jul 10:01] MySQL Verification Team 
Hello Craig Francis,

Thank you for the feature request!

regards,
Umesh