4

我正在尝试从单个表中提取多行。我正在尝试以不同的邮政编码拉所有男性或所有女性。

<?php
$zipCodes = array("55555", "66666", "77777", etc...);

$fetchUser = mysql_query("select * from users where gender = '$_POST[gender]' ".implode(" or zipCode = ", $zipCodes)." order by id desc");
while($var = mysql_fetch_array($fetchUser)) {
  code...
}
?>
4

2 回答 2

2

你应该用IN这个,

SELECT ...
FROM   tableName
WHERE gender = '$_POST[gender]' AND
      zipCode IN (55555, 6666, 77777)

目前您的代码容易受到 SQL 注入的攻击。请阅读PDOMySQLI扩展。

阅读这篇文章的更多内容:在 PHP
PHP PDO 中防止 SQL 注入的最佳方法:我可以将数组绑定到 IN() 条件吗?

于 2012-09-26T07:45:49.633 回答
0 
// Prevent SQL injection for user input
$fetchUser = mysql_query("select * from users where gender = '".filter_var($_POST[gender], FILTER_SANITIZE_STRING)."' OR zipCode IN (".implode(",", $zipCodes).") order by id desc");)
于 2012-09-26T07:49:40.260 回答