我需要一点帮助。请问如何将PHP值“$ filtr_zamestnanci_ID”添加到sql_query中。代码在这里:如何在mysql查询中使用循环生成的php变量
<?php
if (isset($_POST["filtr_zamestnanci_ID"])) {
for ($a = 0; $a < count($_POST["filtr_zamestnanci_ID"]); $a++) {
$filtr_zamestnanci_ID .="AND companies_text_records_user_ID = '".$_POST["filtr_zamestnanci_ID"][$a]."' ";
}
}else {
$filtr_zamestnanci_ID = "";
}
echo "filtr_zamestnanci_ID :".$filtr_zamestnanci_ID;
mysql_query("SET CHARACTER SET utf8");
$sql_1 =
mysql_query("SELECT * FROM companies_text_records
LEFT JOIN companies ON companies_text_records_company_ID = company_ID
LEFT JOIN login_users ON user_id = companies_text_records_user_ID
WHERE companies_text_records_relative_to = '0'
'".$filtr_zamestnanci_ID."'
ORDER BY companies_text_records_ID DESC");
?>
如果我通过它没有循环一切都OK。但循环输出根本不起作用。也许在格式为“$ filtr_zamestnanci_ID”?
FYI,[则不应使用'mysql_ *'功能在新代码中](http://stackoverflow.com/questions/12859942/)。他们不再被维护[并被正式弃用](https://wiki.php.net/rfc/mysql_deprecation)。看到[红盒](http://php.net/manual/en/function.mysql-connect.php)?学习[*准备的语句*](https://en.wikipedia.org/wiki/Prepared_statement),并使用[PDO](http://php.net/pdo)或[MySQLi](http:// php.net/mysqli) - [这篇文章](http://php.net/manual/en/mysqlinfo.api.choosing.php)将帮助你决定哪一个最适合你。 –
你的脚本存在[SQL注入攻击]的风险(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)看看发生了什么事[Little鲍比表](http://bobby-tables.com/)即使[如果你逃避投入,它不安全!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around -mysql-real-escape-string)使用[prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)。 –
将mysql_query放入循环中... –