在 IN 子句中使用 mysql_real_escape_string

发布于 2024-12-22 18:03:05 字数 532 浏览 0 评论 0原文

mysql_real_escape_string 向 IN 子句中的值添加斜杠，因此不返回任何值。如何发送在 IN 子句中使用 mysql_real_escape_string() 转义的数组值？

这是我的代码：

$names_array = array('dave','smith');
$names = mysql_real_escape_string("'". implode("', '", $names_array) ."'");
$sql = "SELECT * FROM user WHERE user_name IN ($names)";
$results = mysql_query($sql);

mysql_real_escape_string 更改后的查询如下：

SELECT * FROM user WHERE user_name IN (\'dave\', \'smith\')

我不想在 IN 子句中使用这些斜杠。另外，我不希望直接在 IN 子句中替换值。提前致谢。

原文

mysql_real_escape_string adds slashes to the values in IN clause and hence no values are returned. How can I send array values that are escaped using mysql_real_escape_string() in IN clause?

Here is my code:

$names_array = array('dave','smith');
$names = mysql_real_escape_string("'". implode("', '", $names_array) ."'");
$sql = "SELECT * FROM user WHERE user_name IN ($names)";
$results = mysql_query($sql);

Query after mysql_real_escape_string changes like this:

SELECT * FROM user WHERE user_name IN (\'dave\', \'smith\')

I don't want these slashes here in IN clause. Also I don't want the values directly substituted in IN clause.
Thanks in Advance.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

我偏爱纯白色 2024-12-29 18:03:05

这或许可以做到。

$names = "'". implode("', '", array_map('mysql_real_escape_string', $names_array)). "'";

This might do it.

$names = "'". implode("', '", array_map('mysql_real_escape_string', $names_array)). "'";

回复收藏 0 原文

骄傲 2024-12-29 18:03:05

不要使用 mysql_real_escape_string ；根本不要直接使用 mysql_* 函数；使用 ADODB 或类似的东西；不要以这种方式连接查询，请使用占位符 (?) 和准备好的语句。您的代码应类似于以下内容：

include('/path/to/adodb.inc.php');
$DB = NewADOConnection('mysql');
$DB->Connect($server, $user, $pwd, $db);

# M'soft style data retrieval with binds
$rs = $DB->Execute("select * from user where user_names in ?",array(array('dave','smith')));
while (!$rs->EOF) {
    print_r($rs->fields);
    $rs->MoveNext();
}

Don't use mysql_real_escape_string; don't use the mysql_* functions directly at all; use ADODB or somesuch; don't concatenate your queries in this way, use placeholders (?) and prepared statements. Your code should look similar to this:

include('/path/to/adodb.inc.php');
$DB = NewADOConnection('mysql');
$DB->Connect($server, $user, $pwd, $db);

# M'soft style data retrieval with binds
$rs = $DB->Execute("select * from user where user_names in ?",array(array('dave','smith')));
while (!$rs->EOF) {
    print_r($rs->fields);
    $rs->MoveNext();
}

回复收藏 0 原文

~没有更多了~