This question already has an answer here:
这个问题在这里已有答案:
- Can I bind an array to an IN() condition? 21 answers
- MySQLi Bind Param with an array for IN 2 answers
我可以将数组绑定到IN()条件吗? 21个答案
MySQLi Bind Param带有一个IN 2答案的数组
I'm trying to write code that basically finds your facebook friends that are on my website. I succeed in phpmyadmin running the query but for some reason when i try to run the code from php it doesn't work
我正在尝试编写基本上可以找到我网站上的Facebook好友的代码。我成功运行phpmyadmin查询但由于某种原因,当我尝试从PHP运行代码时,它不起作用
Here's the php code. Whenever i take the $string echo and place it in mysql it works just fine, but for whatever reason when running it in php the query is not returning any results.
这是php代码。每当我接受$ string echo并将其放在mysql中它工作得很好,但无论出于何种原因在php中运行它时查询都没有返回任何结果。
$fql = "SELECT uid FROM user WHERE uid IN (SELECT uid2 FROM friend WHERE uid1 = 100000903067831) AND is_app_user = 'true'";
$param = array(
'method' => 'fql.query',
'query' => $fql
);
$this->load->library('facebook');
echo $this->facebook->getLoginUrl();
$fqlResult = $this->facebook->api($param);
$userIDarray = array();
foreach($fqlResult as $result)
{
echo $result['uid']."<br>";
array_push($userIDarray, intval($result['uid']));
}
$string = implode(', ',$userIDarray);
echo $string;
$vars = array($string);
$query = $this->db->query("SELECT * FROM users WHERE users.facebook_id IN (?)", $vars);
echo var_dump($query);
foreach($query->result() as $data)
{
echo var_dump($data);
}
1 个解决方案
#1
0
You cannot pass multiple parameters in a single ?.
你不能在一个?中传递多个参数。
You need to construct the options for IN yourself using concatenation.
您需要使用串联为自己构造IN选项。
Like so:
foreach($fqlResult as $result)
{
echo $result['uid']."<br>";
array_push($userIDarray, intval($result['uid']));
}
$string = implode(', ',$userIDarray);
$query = $this->db->query("SELECT * FROM users WHERE users.facebook_id
IN ('.$string.')");
Note that you need to make sure your items in the $userIDarray are properly escaped.
Because you're not using parameters, but you've injected these values into your SQL you are in danger of SQL injection attacks.
请注意,您需要确保$ userIDarray中的项目已正确转义。因为您没有使用参数,但是您已将这些值注入SQL,您将面临SQL注入攻击的危险。
You are passing them through intval which guarantees that the strings will only contain 0..9 and - so you are safe from that here.
If the data is not numeric, you need use mysqli_real_escape_string to compensate for the fact that you're bypassing PDO's parameters.
你通过intval传递它们,这保证了字符串只包含0..9和 - 所以你在这里是安全的。如果数据不是数字,则需要使用mysqli_real_escape_string来补偿您绕过PDO参数的事实。
#1
0
You cannot pass multiple parameters in a single ?.
你不能在一个?中传递多个参数。
You need to construct the options for IN yourself using concatenation.
您需要使用串联为自己构造IN选项。
Like so:
foreach($fqlResult as $result)
{
echo $result['uid']."<br>";
array_push($userIDarray, intval($result['uid']));
}
$string = implode(', ',$userIDarray);
$query = $this->db->query("SELECT * FROM users WHERE users.facebook_id
IN ('.$string.')");
Note that you need to make sure your items in the $userIDarray are properly escaped.
Because you're not using parameters, but you've injected these values into your SQL you are in danger of SQL injection attacks.
请注意,您需要确保$ userIDarray中的项目已正确转义。因为您没有使用参数,但是您已将这些值注入SQL,您将面临SQL注入攻击的危险。
You are passing them through intval which guarantees that the strings will only contain 0..9 and - so you are safe from that here.
If the data is not numeric, you need use mysqli_real_escape_string to compensate for the fact that you're bypassing PDO's parameters.
你通过intval传递它们,这保证了字符串只包含0..9和 - 所以你在这里是安全的。如果数据不是数字,则需要使用mysqli_real_escape_string来补偿您绕过PDO参数的事实。