1

I was working on a search form that stores people's names in an array, and then wanted to create a query on the results page in PHP that uses an IN clause (if that's the best way; feel free to point me in another direction). Basically the page has checkboxes for all the names, so they can check one, many or all names. I tried using the implode function, but have been unsuccessful so far.

$yourName = implode("', '", $_POST['Your_name']);

if($dutyReq=="All" && $yourName!="All" ) $query="SELECT * FROM talent_eas WHERE Your_name IN ('$yourName')";

Does that look at all right? Would that handle all scenarios? I'm just starting out with PHP so I have no idea what I'm doing. I tried searching for my specific question but just didn't seem to see much use of the IN clause.

4

3 回答 3

1

Yes, that how to use IN. Here are some more examples:

SELECT * FROM users WHERE name IN ('John','Jane');

SELECT * FROM some_table WHERE the_month IN ('January','April','September');

Also, please read on SQL Injections.

For your comment:

You need to use mysql_real_escape_string BEFORE the implode. So your code should be:

$yourName = implode("', '", mysql_real_escape_string($_POST['Your_name']));
于 2012-09-10T16:25:16.860 回答
0

You can Use

SELECT * FROM talent_eas WHERE Your_name IN ('shail','jyoti');

I suggest you to read Mysql Injection, else your code can be hacked easily

于 2012-09-10T16:27:43.333 回答
0

Here's few ways to prevent SQLi

# 1. Map each name with escape function
$yourname = implode("', '", array_map('mysql_real_escape_string', $_POST['Your_name']));

# 2. Use PDO with prepare statement (with placeholders e.g. (?, ?, ?)
$placeholders = array_fill(0, sizeof($_POST['Your_name']), '?');
$stmt         = $pdo->prepare('SELECT * FROM talent_eas WHERE Your_name IN ('.implode(', ', $placeholders).')';

$stmt->execute($_POST['Your_name']);
于 2012-09-10T16:46:47.053 回答