Col. Shrapnel的SafeMySQL PHP库在其参数化查询中提供了类型提示占位符，并包括了两个用于处理数组的方便占位符。?a占位符将数组展开为逗号分隔的转义字符串列表*。

例如:

$someArray = [1, 2, 5];
$galleries = $db->getAll("SELECT * FROM galleries WHERE id IN (?a)", $someArray);

*请注意，由于MySQL执行自动类型强制，SafeMySQL将上面的id转换为字符串并不重要-您仍然会得到正确的结果。

所有交易所:

$query = "SELECT * FROM `$table` WHERE `$column` IN(".implode(',',$array).")";

字符串:

$query = "SELECT * FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";

小心!此答案包含一个严重的SQL注入漏洞。不要使用这里给出的代码示例，除非确保任何外部输入都被清除。

$ids = join("','",$galleries);   
$sql = "SELECT * FROM galleries WHERE id IN ('$ids')";

如果正确筛选输入数组，我们可以使用这个"WHERE id IN"子句。就像这样:

$galleries = array();

foreach ($_REQUEST['gallery_id'] as $key => $val) {
    $galleries[$key] = filter_var($val, FILTER_SANITIZE_NUMBER_INT);
}

如下面的例子所示:

$galleryIds = implode(',', $galleries);

也就是说，现在你应该安全地使用$query = "SELECT * FROM galleries WHERE id IN ({$galleryIds})";

更安全。

$galleries = array(1,2,5);
array_walk($galleries , 'intval');
$ids = implode(',', $galleries);
$sql = "SELECT * FROM galleries WHERE id IN ($ids)";

假设你事先正确地清理了你的输入……

$matches = implode(',', $galleries);

然后调整你的查询:

SELECT *
FROM galleries
WHERE id IN ( $matches ) 

根据数据集适当地引用值。