我正在研究现有项目,并且数据库上有一个抽象层(以前的开发人员制定了它,我不应该更改它)。 我从抽象中提取函数,它看起来像这样:
html_g我收到了一个错误:
您的SQL语法有错误;检查与你的MySQL服务器版本相对应的手册,以便在'\\'alex \',\\'john \\')'?'第1行附近使用正确的语法“
如何更正$sql = "SELECT id FROM user WHERE username IN ({users})";
$users = "alex,john";
$users = str_replace(',', "','", $users);
$users = mysqli_real_escape_string($dbh, $users);
//Here is a replace placeholder function for sql query
...
$query = mysqli_query($dbh, $sql);
条款中的使用mysqli_real_escape_string?
答案 0 :(得分:0)
尝试这样做以准备$ users变量
$users = "alex,john";
$users= "'".str_replace(",", "','", $users)."'";
修改
$users_array= explode(',',$users);
$users= "'". implode("', '", array_map('mysql_real_escape_string', $users_array)). "'";
答案 1 :(得分:0)
试试这个:
$users = "alex,john";
$users = "'" . str_replace(',', "','", $users) . "'";
$users = mysqli_real_escape_string($dbh, $users);
$sql = "SELECT id FROM user WHERE username IN ({$users})";
$query = mysqli_query($dbh, $sql);
推荐的方式是使用预处理语句而不用担心转义特殊字符或SQL注入。
$users = "alex,john";
$users = "'" . str_replace(',', "','", $users) . "'";
$sql = "SELECT id FROM user WHERE username IN ({$users})";
$stmt = $dbh->prepare($sql);
$stmt->bind_param('s', $users);
$stmt->execute();
$results = $stmt->fetch();