PHP Implode But Wrap Each Element In Quotes

php implode

Add the quotes into the implode call: (I'm assuming you meant implode)

$SQL = 'DELETE FROM elements
           WHERE id IN ("' . implode('", "', $elements) . '")';

This produces:

DELETE FROM elements WHERE id IN ("foo", "bar", "tar", "dar")

The best way to prevent against SQL injection is to make sure your elements are properly escaped.

An easy thing to do that should work (but I haven't tested it) is to use either array_map or array_walk, and escape every parameter, like so:

$elements = array();
$elements = array_map( 'mysql_real_escape_string', $elements);

You can use array_walk to iterate all the elements in side the array passing the reference to the element and add the quotes in the following way.

php 7.4 or newer

<?php

$arr = ['a','b','c'];

array_walk($arr, fn(&$x) => $x = "'$x'");

echo implode(',', $arr); // 'a','b','c'

php 7.3 or older version

<?php

$arr = ['a','b','c'];

array_walk($arr, function(&$x) {$x = "'$x'";});

echo implode(',', $arr); // 'a','b','c'

Related

Locale detection with Moment.js
Setting launchMode="singleTask" vs setting activity launchMode="singleTop"
Angular 1.6.0: "Possibly unhandled rejection" error [duplicate]
Fragment not attached to a context
Can you define "literal" tables in SQL?
Line continue character in C#
Returning to previous line with Vim
'+entityForName: nil is not a legal NSManagedObjectContext parameter - Core Data
What is the technology behind wechat, whatsapp and other messenger apps? [closed]
How to check if class exists within a namespace?
WooCommerce: Finding the products in database
Why is the volatile qualifier used through out std::atomic?