3回答

陪伴而非守候

与几乎所有“我如何从PHP中执行SQL”问题一样 - 您确实应该使用预准备语句。这并不难：$ids&nbsp; = array(2, 4, 6, 8);// prepare an SQL statement with a single parameter placeholder$sql&nbsp; = "UPDATE MyTable SET LastUpdated = GETDATE() WHERE id = ?";$stmt = $mysqli->prepare($sql);// bind a different value to the placeholder with each executionfor ($i = 0; $i < count($ids); $i++){&nbsp; &nbsp; $stmt->bind_param("i", $ids[$i]);&nbsp; &nbsp; $stmt->execute();&nbsp; &nbsp; echo "Updated record ID: $id\n";}// done$stmt->close();或者，您可以这样做：$ids&nbsp; &nbsp; = array(2, 4, 6, 8);// prepare an SQL statement with multiple parameter placeholders$params = implode(",", array_fill(0, count($ids), "?"));$sql&nbsp; &nbsp; = "UPDATE MyTable SET LastUpdated = GETDATE() WHERE id IN ($params)";$stmt&nbsp; &nbsp;= $mysqli->prepare($sql);// dynamic call of mysqli_stmt::bind_param&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; hard-coded eqivalent$types = str_repeat("i", count($ids));&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; // "iiii"$args = array_merge(array($types), $ids);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// ["iiii", 2, 4, 6, 8]call_user_func_array(array($stmt, 'bind_param'), ref($args)); // $stmt->bind_param("iiii", 2, 4, 6, 8)// execute the query for all input values in one step$stmt->execute();// done$stmt->close();echo "Updated record IDs: " . implode("," $ids) ."\n";// ----------------------------------------------------------------------------------// helper function to turn an array of values into an array of value references// necessary because mysqli_stmt::bind_param needs value refereces for no good reasonfunction ref($arr) {&nbsp; &nbsp; $refs = array();&nbsp; &nbsp; foreach ($arr as $key => $val) $refs[$key] = &$arr[$key];&nbsp; &nbsp; return $refs;}根据需要为其他字段添加更多参数占位符。哪一个选？第一个变体迭代地使用可变数量的记录，多次命中数据库。这对UPDATE和INSERT操作最有用。第二种变体也可以使用可变数量的记录，但它只能访问数据库一次。这比迭代方法更有效，显然你只能对所有受影响的记录做同样的事情。这对SELECT和DELETE操作最有用，或者当您想要使用相同数据更新多个记录时。为何准备好陈述？准备好的语句更安全，因为它们不可能使SQL注入攻击。这是使用预准备语句的主要原因，即使编写它们的工作量更大。一个明智的习惯是：即使你认为“不是真的有必要”，也要使用准备好的陈述。忽视会来咬你（或你的客户）。使用不同的参数值多次重复使用相同的预准备语句比将多个完整的SQL字符串发送到数据库更有效，因为数据库只需要编译一次语句并且也可以重复使用它。只有参数值被发送到数据库execute()，因此重复使用时需要更少的数据通过线路。在较长的循环中，使用预准备语句和发送纯SQL之间的执行时间差异将变得明显。

0 0

0

Cats萌萌

使用“IN”条款你可能会追求什么$ids&nbsp;=&nbsp;array(2,4,6,8);$ids&nbsp;=&nbsp;implode($ids);$sql="SELECT&nbsp;*&nbsp;FROM&nbsp;my_table&nbsp;WHERE&nbsp;id&nbsp;IN($ids);";mysql_query($sql);否则，出了什么问题$ids&nbsp;=&nbsp;array(2,4,6,8);foreach($ids&nbsp;as&nbsp;$id)&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$sql="SELECT&nbsp;*&nbsp;FROM&nbsp;my_table&nbsp;WHERE&nbsp;ID&nbsp;=&nbsp;$id;"; &nbsp;&nbsp;&nbsp;&nbsp;mysql_query($sql);}

0 0

0

梵蒂冈之花

$values_filtered&nbsp;=&nbsp;array_filter('is_int',&nbsp;$values);if&nbsp;(count($values_filtered)&nbsp;==&nbsp;count($values))&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$sql&nbsp;=&nbsp;'update&nbsp;table&nbsp;set&nbsp;attrib&nbsp;=&nbsp;'something'&nbsp;where&nbsp;someid&nbsp;in&nbsp;('&nbsp;.&nbsp;implode(',',&nbsp;$values_filtered)&nbsp;.&nbsp;');'; &nbsp;&nbsp;&nbsp;&nbsp;//execute}&nbsp;else&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;//do&nbsp;something}

0 0

0