Using mysql_real_escape_string in IN clause

Question

mysql_real_escape_string adds slashes to the values in IN clause and hence no values are returned. How can I send array values that are escaped using mysql_real_escape_string() in IN clause?

Here is my code:

$names_array = array('dave','smith');
$names = mysql_real_escape_string("'". implode("', '", $names_array) ."'");
$sql = "SELECT * FROM user WHERE user_name IN ($names)";
$results = mysql_query($sql);

Query after mysql_real_escape_string changes like this:

SELECT * FROM user WHERE user_name IN (\'dave\', \'smith\')

I don't want these slashes here in IN clause. Also I don't want the values directly substituted in IN clause. Thanks in Advance.

Answer 1

这可能会这样做。

$names = "'". implode("', '", array_map('mysql_real_escape_string', $names_array)). "'";

Answer 2

Don't use mysql_real_escape_string ; don't use the mysql_* functions directly at all; use ADODB or somesuch; don't concatenate your queries in this way, use placeholders ( ? ) and prepared statements. Your code should look similar to this:

include('/path/to/adodb.inc.php');
$DB = NewADOConnection('mysql');
$DB->Connect($server, $user, $pwd, $db);

# M'soft style data retrieval with binds
$rs = $DB->Execute("select * from user where user_names in ?",array(array('dave','smith')));
while (!$rs->EOF) {
    print_r($rs->fields);
    $rs->MoveNext();
}