在MySQL中的in子句中对数组使用爆破 [英] using implode for array inside mysql where in clause

问题描述

im试图在in子句中为mysql使用数组

im trying to use array for mysql where in clause

$result= $myDB->query("SELECT sum(total) as total FROM ".$myDB->prefix("mydata")." WHERE categoryname IN ('".$categoryname."') AND year='$year' AND stat_id='$stat_id'");

当前类别名称的输出是

('Cat1,Cat2,Cat3')

所需的输出

('Cat1','Cat2','Cat3')

到目前为止，我还是尝试了它，但是没有用

i tried it like so far but its not working

$categoryname_new = implode(',',$categoryname);

$result= $myDB->query("SELECT sum(total) as total FROM ".$myDB->prefix("mydata")." WHERE categoryname IN ('".$categoryname_new."') AND year='$year' AND stat_id='$stat_id'");

推荐答案

幼稚的解决方案将是:

$array = ['Cat1', 'Cat2', 'Cat3'];
echo "'" . implode("','", $array) . "'";

但是它可能会引入sql注入，因此您需要先正确地对数组中的数据进行转义

but it could introduce sql injection, so you need properly escape data in array first

使用转义符对一行进行采样:

sample one-line with escaping:

echo "'" . implode("','", array_map('mysql_escape_string', $array)) . "'";

注意:不推荐使用mysql_*函数，您需要使用mysqli_*需要连接链接

note: mysql_* functions are deprecated, you need to use mysqli_* which require connection link

这篇关于在MySQL中的in子句中对数组使用爆破的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！