0

我有一个复选框表单,它传递一组 id 值。然后我像这样内爆数组:

$ship = $_POST['result'];
$array=implode(",", $ship);
$shipping=ship_update($array);

Mysql 查询函数如下所示:

function ship_update($array){
    global $MEMS;
    echo $array;
    $query="SELECT * FROM Inventory
        WHERE MEMS_ID IN ('$array')
            ORDER BY WAFER ASC, RC ASC";
    $shipping=$MEMS -> exec($query);
    return $shipping;
}

当我运行此代码时,$shipping 返回一个空查询。我究竟做错了什么?

4

3 回答 3

2

这应该是

$array = "'" . implode("','", $ship) . "'";

在您的查询中,

$query="SELECT * FROM Inventory
        WHERE MEMS_ID IN ($array)    // remove the single quotes to
        ORDER BY WAFER ASC, RC ASC"; // avoid syntax error

警告,这仍然容易受到 sql injection 的影响

于 2013-09-12T16:02:35.933 回答
1

尝试不带'单引号的查询

SELECT * FROM Inventory
        WHERE MEMS_ID IN ($array)
            ORDER BY WAFER ASC, RC ASC
于 2013-09-12T16:03:10.087 回答
0

数组中间没有任何单引号。改变

$array=implode(",", $ship);


$array=implode("','", $ship);
于 2013-09-12T16:02:31.360 回答