在IN子句中使用mysql_real_escape_string
[英]Using mysql_real_escape_string in IN clause
问题描述
mysql_real_escape_string adds slashes to the values in IN clause and hence no values are returned. 
mysql_real_escape_string将斜杠添加到IN子句中的值,因此不返回任何值。 How can I send array values that are escaped using mysql_real_escape_string() in IN clause? 如何在IN子句中使用mysql_real_escape_string()发送转义的数组值?
Here is my code: 这是我的代码:
$names_array = array('dave','smith');
$names = mysql_real_escape_string("'". implode("', '", $names_array) ."'");
$sql = "SELECT * FROM user WHERE user_name IN ($names)";
$results = mysql_query($sql);
Query after mysql_real_escape_string changes like this: mysql_real_escape_string更改后的查询如下:
SELECT * FROM user WHERE user_name IN (\'dave\', \'smith\')
I don't want these slashes here in IN clause. 我不想在IN子句中使用这些斜杠。 Also I don't want the values directly substituted in IN clause. 另外,我不希望在IN子句中直接替换值。 Thanks in Advance. 提前致谢。
2 个解决方案
解决方案1
4 已采纳 2011-12-23 09:46:00
这可能会这样做。
$names = "'". implode("', '", array_map('mysql_real_escape_string', $names_array)). "'";
解决方案2
0 2011-12-23 09:44:34
Don't use mysql_real_escape_string ; 不要使用mysql_real_escape_string ; don't use the mysql_* functions directly at all; 不要直接使用mysql_*函数; use ADODB or somesuch; 使用ADODB或其他一些; don't concatenate your queries in this way, use placeholders ( ? ) and prepared statements. 不要以这种方式连接您的查询,使用占位符( ? )和预准备语句。 Your code should look similar to this: 您的代码应该类似于:
include('/path/to/adodb.inc.php');
$DB = NewADOConnection('mysql');
$DB->Connect($server, $user, $pwd, $db);
# M'soft style data retrieval with binds
$rs = $DB->Execute("select * from user where user_names in ?",array(array('dave','smith')));
while (!$rs->EOF) {
print_r($rs->fields);
$rs->MoveNext();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.