I want to do a query similar to the following:
SELECT f_name, l_name, title from
-> employee_data where title
-> IN ('Web Designer', 'System Administrator');
The search terms are received in an array $data = ['Web Designer', 'System Administrator'] and right now I can turn that array into Web Designer,System Administrator using:
$data = implode(',', $data)
Is there a good way to turn that array into 'Web Designer', 'System Administrator' so I can insert this phrase into the MySQL query directly as shown at the beginning of the post?
解决方案
You probably should use:
$data = implode( ', ', array_map( $data, array( $object, 'escape')));
$query .= 'title IN ( ' . $data . ')'; // Append to condition
Where $object->escape() would by function like:
public function $escape( $string){
return "'" . mysql_real_escape_string( $string, $this->connection) . "'";
}
Here's array_map() documentation, and mysql_real_escape_string(). This should be SQL injection proof solution.
805
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
