PHP PDO MySQL IN(?，?，? [英] PHP PDO MySQL IN (?,?,?

问题描述

我想编写一个MySQL语句，例如:

I want to write a MySQL statement like:

SELECT * FROM someTable WHERE someId IN (value1, value2, value3, ...)

这里的诀窍是我不知道提前知道IN()中会有多少个值.

The trick here is that I do not know ahead of time how many values there will be in the IN().

很明显，我知道我可以通过字符串操作随时生成查询，但是由于这将循环运行，所以我想知道是否可以使用PDO PreparedStatement进行查询.

Obviously I know I can generate the query on the go with string manipulations, however since this will run in a loop, I was wondering if I could do it with a PDO PreparedStatement.

类似的东西:

$query = $PDO->prepare('SELECT * FROM someTable WHERE someId IN (:idList)');
$query->bindValue(':idList', implode(',', $idArray));

有可能吗?

推荐答案

这不是您尝试的方法.您要传递的每个参数都必须有一个单独的占位符，其他所有内容都会违背参数的目的(将代码与数据分开).

This is not possible the way you try it. You must have a separate placeholder for every parameter you want to pass in, everything else would defy the purpose of parameters (which is separating code from data).

$ids = array(2, 4, 6, 8);

// prepare a string that contains ":id_0,..,:id_n" and include it in the SQL
$plist = ':id_'.implode(',:id_', array_keys($ids));
$sql   = "SELECT * FROM someTable WHERE someId IN ($plist)";
// prepare & execute the actual statement
$parms = array_combine(explode(",", $plist), $ids);
$stmt  = $PDO->prepare($sql);
$rows  = $stmt->execute($parms);

如果在绑定期间允许您将值的数组传递给单个参数，则将有效地允许您更改SQL语句.这将是SQL注入的漏洞-毕竟，没有什么可以保证所有数组值都是无辜的整数.

If you were allowed to pass in an array of values to a single parameter during bind, you would effectively be allowed to alter the SQL statement. This would be a loophole for SQL injection - nothing could guarantee that all array values would be innocent integers, after all.

这篇关于PHP PDO MySQL IN(?，?，?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！