I want to select some id's based on url string but with my code it displays only the first. If i write manual the id's it works great.
我想根据url字符串选择一些id,但是我的代码只显示第一个。如果我写手册的id's它很棒。
I have a url like this http://www.mydomain.com/myfile.php?theurl=1,2,3,4,5 (ids)
我有这样的网址http://www.mydomain.com/myfile.php?theurl=1,2,3,4,5(ids)
Now in the myfile.php i have my sql connection and:
现在在myfile.php我有我的sql连接和:
$ids = $_GET['theurl']; (and i am getting 1,2,3,4,5)
$ ids = $ _GET ['theurl']; (我正在获得1,2,3,4,5)
if i use this:
如果我使用这个:
$sql = "select * from info WHERE `id` IN (1,2,3,4,5)";
$slqtwo = mysql_query($sql);
while ($tc = mysql_fetch_assoc($slqtwo)) {
echo $tc['a_name'];
echo " - ";
}
I am Getting the correct results. Now if i use the code bellow it's not working:
我得到了正确的结果。现在,如果我使用下面的代码,它不起作用:
$sql = "select * from info WHERE `id` IN ('$ids')";
$slqtwo = mysql_query($sql);
while ($tc = mysql_fetch_assoc($slqtwo)) {
echo $tc['a_name'];
echo " - ";
}
Any suggestions?
2 个解决方案
#1
17
When you interpolate
插值时
"select * from info WHERE `id` IN ('$ids')"
with your IDs, you get:
使用您的ID,您将得到:
"select * from info WHERE `id` IN ('1','2','3','4','5')"
...which treats your set of IDs as a single string instead of a set of integers.
...将您的ID集视为单个字符串而不是一组整数。
Get rid of the single-quotes in the IN clause, like this:
摆脱IN子句中的单引号,如下所示:
"select * from info WHERE `id` IN ($ids)"
Also, don't forget that you need to check for SQL Injection attacks. Your code is currently very dangerous and at risk of serious data loss or access. Consider what might happen if someone calls your web page with the following URL and your code allowed them to execute multiple statements in a single query:
另外,不要忘记您需要检查SQL注入攻击。您的代码目前非常危险,存在严重数据丢失或访问的风险。考虑如果有人使用以下URL调用您的网页,并且您的代码允许他们在单个查询中执行多个语句,可能会发生什么:
http://www.example.com/myfile.php?theurl=1);delete from info;--
#2
3
You can also try FIND_IN_SET() function
您还可以尝试FIND_IN_SET()函数
$SQL = "select * from info WHERE FIND_IN_SET(`id`, '$ids')"
OR
$SQL = "select * from info WHERE `id` IN ($ids)"
#1
17
When you interpolate
插值时
"select * from info WHERE `id` IN ('$ids')"
with your IDs, you get:
使用您的ID,您将得到:
"select * from info WHERE `id` IN ('1','2','3','4','5')"
...which treats your set of IDs as a single string instead of a set of integers.
...将您的ID集视为单个字符串而不是一组整数。
Get rid of the single-quotes in the IN clause, like this:
摆脱IN子句中的单引号,如下所示:
"select * from info WHERE `id` IN ($ids)"
Also, don't forget that you need to check for SQL Injection attacks. Your code is currently very dangerous and at risk of serious data loss or access. Consider what might happen if someone calls your web page with the following URL and your code allowed them to execute multiple statements in a single query:
另外,不要忘记您需要检查SQL注入攻击。您的代码目前非常危险,存在严重数据丢失或访问的风险。考虑如果有人使用以下URL调用您的网页,并且您的代码允许他们在单个查询中执行多个语句,可能会发生什么:
http://www.example.com/myfile.php?theurl=1);delete from info;--
#2
3
You can also try FIND_IN_SET() function
您还可以尝试FIND_IN_SET()函数
$SQL = "select * from info WHERE FIND_IN_SET(`id`, '$ids')"
OR
$SQL = "select * from info WHERE `id` IN ($ids)"