使用WHERE子句将数组传递给查询

本文翻译自：Passing an array to a query using a WHERE clause

Given an array of ids $galleries = array(1,2,5) I want to have a SQL query that uses the values of the array in its WHERE clause like: 给定一个ID数组$galleries = array(1,2,5)我想拥有一个SQL查询，该查询使用WHERE子句中的数组值，例如：

SELECT *
FROM galleries
WHERE id = /* values of array $galleries... eg. (1 || 2 || 5) */

How can I generate this query string to use with MySQL? 如何生成此查询字符串以用于MySQL？

#1楼

参考：https://stackoom.com/question/3oA2/使用WHERE子句将数组传递给查询

#2楼

Using PDO: ^[1] 使用PDO： ^[1]

$in = join(',', array_fill(0, count($ids), '?'));
$select = <<<SQLSELECT *FROM galleriesWHERE id IN ($in);
SQL;
$statement = $pdo->prepare($select);
$statement->execute($ids);

Using MySQLi ^[2] 使用MySQLi ^[2]

$in = join(',', array_fill(0, count($ids), '?'));
$select = <<<SQLSELECT *FROM galleriesWHERE id IN ($in);
SQL;
$statement = $mysqli->prepare($select);
$statement->bind_param(str_repeat('i', count($ids)), ...$ids);
$statement->execute();
$result = $statement->get_result();

Explanation: 说明：

Use the SQL `IN()` operator to check if a value exists in a given list. 使用SQL `IN()`运算符检查给定列表中是否存在值。

In general it looks like this: 一般来说，它看起来像这样：

expr IN (value,...)

We can build an expression to place inside the () from our array. 我们可以构建一个表达式以放置在数组中的()内。 Note that there must be at least one value inside the parenthesis or MySQL will return an error; 请注意，圆括号内必须至少有一个值，否则MySQL将返回错误。 this equates to making sure that our input array has at least one value. 这等于确保我们的输入数组至少具有一个值。 To help prevent against SQL injection attacks, first generate a ? 为了防止SQL注入攻击，请首先生成一个? for each input item to create a parameterized query. 为每个输入项创建一个参数化查询。 Here I assume that the array containing your ids is called $ids : 在这里，我假设包含您的id的数组称为$ids ：

$in = join(',', array_fill(0, count($ids), '?'));$select = <<<SQLSELECT *FROM galleriesWHERE id IN ($in);
SQL;

Given an input array of three items $select will look like: 给定一个包含三个项目的输入数组， $select看起来像：

SELECT *
FROM galleries
WHERE id IN (?, ?, ?)

Again note that there is a ? 再次注意，有一个? for each item in the input array. 输入数组中的每个项目。 Then we'll use PDO or MySQLi to prepare and execute the query as noted above. 然后，我们将使用PDO或MySQLi来准备和执行上述查询。

Using the `IN()` operator with strings 对字符串使用`IN()`运算符

It is easy to change between strings and integers because of the bound parameters. 由于绑定了参数，因此很容易在字符串和整数之间进行更改。 For PDO there is no change required; 对于PDO，无需更改； for MySQLi change str_repeat('i', to str_repeat('s', if you need to check strings. 对于MySQLi str_repeat('s',如果需要检查字符串str_repeat('s',请将str_repeat('i',更改为str_repeat('s', 。

^{^[1]: I've omitted some error checking for brevity.} ^{^[1]：为简洁起见，我省略了一些错误检查。} ^{You need to check for the usual errors for each database method (or set your DB driver to throw exceptions).} ^{您需要检查每种数据库方法的常见错误（或将数据库驱动程序设置为引发异常）。}

^{^[2]: Requires PHP 5.6 or higher.} ^{^[2]：需要PHP 5.6或更高版本。} ^{Again I've omitted some error checking for brevity.} ^{同样，为了简洁起见，我省略了一些错误检查。}

#3楼

Basic methods to prevent SQL injection are: 防止SQL注入的基本方法是：

Use prepared statements and parameterized queries 使用准备好的语句和参数化查询
Escaping the special characters in your unsafe variable 转义不安全变量中的特殊字符

Using prepared statements and parameterized queries query is considered the better practice, but if you choose the escaping characters method then you can try my example below. 使用准备好的语句和参数化查询是更好的做法，但是，如果选择转义字符方法，则可以尝试下面的示例。

You can generate the queries by using array_map to add a single quote to each of elements in the $galleries : 您可以使用array_map为$galleries中的每个元素添加一个单引号来生成查询：

$galleries = array(1,2,5);$galleries_str = implode(', ',array_map(function(&$item){return "'" .mysql_real_escape_string($item) . "'";}, $galleries));$sql = "SELECT * FROM gallery WHERE id IN (" . $galleries_str . ");";

The generated $sql var will be: 生成的$ sql var将为：

SELECT * FROM gallery WHERE id IN ('1', '2', '5');

Note: mysql_real_escape_string , as described in its documentation here , was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. 注意： mysql_real_escape_string 如其文档所述，在PHP 5.5.0中已弃用，在PHP 7.0.0中已将其删除。 Instead, the MySQLi or PDO_MySQL extension should be used. 相反，应使用MySQLi或PDO_MySQL扩展。 See also MySQL: choosing an API guide and related FAQ for more information. 另请参见MySQL：选择API指南和相关的FAQ，以获取更多信息。 Alternatives to this function include: 此功能的替代方法包括：

mysqli_real_escape_string() mysqli_real_escape_string（）

PDO::quote() PDO :: quote（）

#4楼

As Flavius Stef's answer , you can use intval() to make sure all id are int values: 作为Flavius Stef的答案，您可以使用intval()来确保所有id都是int值：

$ids = join(',', array_map('intval', $galleries));
$sql = "SELECT * FROM galleries WHERE id IN ($ids)";

#5楼

Safer. 更安全

$galleries = array(1,2,5);
array_walk($galleries , 'intval');
$ids = implode(',', $galleries);
$sql = "SELECT * FROM galleries WHERE id IN ($ids)";

#6楼

Besides using the IN query, you have two options to do so as in an IN query there is a risk of an SQL injection vulnerability. 除了使用IN查询外，您还有两种选择，因为在IN查询中存在SQL注入漏洞的风险。 You can use looping to get the exact data you want or you can use the query with OR case 您可以使用循环获取所需的确切数据，也可以将查询与OR案例一起使用

1. SELECT *FROM galleries WHERE id=1 or id=2 or id=5;2. $ids = array(1, 2, 5);foreach ($ids as $id) {$data[] = SELECT *FROM galleries WHERE id= $id;}