我有以下查询从表中选择基于rownumber的行。
$targeted_rows = implode(",",$wanted);
$sql = "SELECT * FROM (
SELECT @row:=@row+1 as rownum, productsa.* FROM (
SELECT @row:=0
)r,productsa
)ranked
WHERE rownum IN (?) ";
$q = $this->db->query($sql, $targeted_rows);
if($q->num_rows() > 0) {
foreach ($q->result() as $row) {
$data[] = $row;
}
return $data;
};
目前我的查询正在执行。随着数字的引号,它不起作用。
SELECT * FROM (
SELECT @row:=@row+1 as rownum, productsa.* FROM (
SELECT @row:=0
)r,productsa
)ranked
WHERE rownum IN ('1,4,7,10,13,16,19,22,25,28,31,34,37,40,43,46,49,52,55,58,61,64,67,70,73,76,79,82,85,88,91,94,97,100,103,106,109,112,115,118,121,124,127,130,133,136,139,142,145,148,151,154,157,160,163,166,169,172')
但是当我手动执行没有引号的查询时,它可以正常工作。如果没有引号出现在查询中,我完全失去了如何进行绑定。
编辑:我已尝试删除内爆并使用下面的代码,但我遇到了同样的问题
foreach ($wanted as $value){
$targeted_rows .= $value . ",";
}
$this->db->escape($targeted_rows);
答案 0 :(得分:0)
唯一可行的方法是使用foreach循环代替使用implode,然后使用:
$this->db->escape(); //to make it safer
答案 1 :(得分:0)
或许只是让它更安全,使用$ this-> db->转义为Sudhir之前提到的,然后简单地将转义值注入SQL(不带查询绑定)?
$escaped_wanted = array();
foreach ($wanted as $id) {
$escaped_wanted[] = $this->db->escape($id);
}
$targeted_rows = implode(",", $escaped_wanted);
$sql = "SELECT * FROM (
SELECT @row:=@row+1 as rownum, productsa.* FROM (
SELECT @row:=0
)r,productsa
)ranked
WHERE rownum IN ({$targeted_rows})";
$q = $this->db->query($sql);