搜索php.in,php – 使用IN指令搜索预准备语句

预准备语句没有参数,因为您在准备之前已将列表插入到语句中.

$array=array("item1","item2","item3","item4");

//This is dynamically filled, this is just an example

$in_list = "'".implode("','",$array)."'";//that's why i use implode

$stmt = $this->db->prepare('SELECT libelle,activite,adresse,tel,lat,lng FROM etablissements where type IN ('.$in_list.')');

此时,您创建的SQL语句是：

SELECT libelle,activite,adresse,tel,lat,lng

FROM etablissements where type IN ('item1','Item2','Item3','Item4')

由于该语句没有参数,因此mysqli_stmt :: bind_param失败.不是将项插入到语句中(易于注入),而是插入一串参数,然后绑定值(必须保持独立).

$array=array("item1","item2","item3","item4");

if (count($in_list) > 0) {

$query = $this->db->prepare('SELECT libelle,activite,adresse,tel,lat,lng FROM etablissements WHERE type IN (' . str_repeat('?, ', count($in_list)-1) . '?)');

$args = $in_list;

array_unshift($args, str_repeat('s', count($in_list)));

call_user_func_array(array($query, 'bind_param'), $args);

$query->execute();

$query->bind_result($libelle,$activite,$adresse,$tel,$lat,$lng);

}

PDO的绑定接口更直接.

$array=array("item1","item2","item3","item4");

if (count($in_list) > 0) {

$query = $this->db->prepare('SELECT libelle,activite,adresse,tel,lat,lng FROM etablissements WHERE type IN (' . str_repeat('?, ', count($in_list)-1) . '?)');

foreach ($in_list as $i => $arg) {

// query params are 1-based, so add 1 to the index

// PDO::PARAM_STR is the default type, so no need to pass 3rd arg

$query->bindValue($i+1, $arg);

}

$query->execute();

// no need to bind the result

}

实际上,使用PDO可以更简单,因为PDOStatement::execute可以获取参数值列表：

$array=array("item1","item2","item3","item4");

if (count($in_list) > 0) {

$query = $this->db->prepare('SELECT libelle,activite,adresse,tel,lat,lng FROM etablissements WHERE type IN (' . str_repeat('?, ', count($in_list)-1) . '?)');

$query->execute($in_list);

}