# fix: Prevent SQL injection in whereIn clause

AbmSourav · AbmSourav · commit 90e4d32dbf12 · 2025-11-30T12:31:51.000+06:00
## Description

Previously, the `whereIn` method in the `Select` statement directly interpolated values into the SQL query string by wrapping them in single quotes. This approach is highly vulnerable to SQL injection, as malicious input in the `$value` array could alter the query's intent and potentially lead to unauthorized data access or manipulation.

This commit addresses this critical security vulnerability by switching to a prepared statement approach for the `WHERE IN` clause. Instead of direct string concatenation, values are now added to the internal `$this-&gt;params` array, and database-specific placeholders are generated using `Utilities::get_placeholder()`. This ensures that all values are properly escaped and bound by the underlying database driver, effectively preventing SQL injection attacks.

## Changes in the codebase

-   **`src/Statement/Select.php`**:
    -   In the `whereIn` method, the anonymous function responsible for formatting the list of items for the `IN` clause has been modified.
    -   The line `return "'" . $item . "'";` has been replaced.
    -   Each `$item` from the input `$value` array is now first added to the `$this-&gt;params[]` array, making it available for parameter binding.
    -   `Utilities::get_placeholder($this-&gt;db, $item)` is now used to generate a database-agnostic placeholder for each item, ensuring safe parameterization regardless of the database system.
diff --git a/composer.json b/composer.json
@@ -1,7 +1,7 @@
 {
     "name": "codesvault/howdy-qb",
     "description": "Mysql Query Builder for WordPress",
-    "version": "1.7.0",
+    "version": "1.7.1",
     "minimum-stability": "stable",
     "scripts": {
         "test": "phpunit",
diff --git a/src/Statement/Select.php b/src/Statement/Select.php
@@ -115,7 +115,8 @@ public function andNot(string $column, ?string $operator = null, $value = null):
     public function whereIn(string $column, ...$value): self
     {
 		$list = implode(', ', array_map(function($item) {
-			return "'" . $item . "'";
+			$this->params[] = $item;
+			return Utilities::get_placeholder($this->db, $item);
 		}, $value));
 
         $this->sql['whereIn'][] = 'WHERE ' . $column . " IN ($list)";

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "codesvault/howdy-qb",`
`3`	`3`	`"description": "Mysql Query Builder for WordPress",`
`4`		`- "version": "1.7.0",`
	`4`	`+ "version": "1.7.1",`
`5`	`5`	`"minimum-stability": "stable",`
`6`	`6`	`"scripts": {`
`7`	`7`	`"test": "phpunit",`
Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,8 @@ public function andNot(string $column, ?string $operator = null, $value = null):`
`115`	`115`	`public function whereIn(string $column, ...$value): self`
`116`	`116`	`{`
`117`	`117`	`$list = implode(', ', array_map(function($item) {`
`118`		`- return "'" . $item . "'";`
	`118`	`+ $this->params[] = $item;`
	`119`	`+ return Utilities::get_placeholder($this->db, $item);`
`119`	`120`	`}, $value));`
`120`	`121`
`121`	`122`	`$this->sql['whereIn'][] = 'WHERE ' . $column . " IN ($list)";`