除了Alex Andrei注释仍然有效外，我强烈建议使用准备好的语句，而不是普通的SQL查询. 这是一篇有关如何处理MySQL准备的语句和数组参数(和不进行处理)的相关文章: mysqli bind_param用于字符串数组

Apart from the Alex Andrei comment which is still valid I would strongly suggest to use a prepared statement instead of a plain SQL query. This is a related post about what to do (and not to do) with MySQL prepared statements and array parameters: mysqli bind_param for array of strings

预备语句为您提供了免费"的更可靠和安全的动态参数绑定，这是您想要的，并且还具有更好的性能，特别是对于重复查询，因为预备语句由数据库引擎(预)编译，并且效率更高.执行.

Prepared statements offer "for free" a more reliable and secure dynamic parameter binding which is what you want, and also better performances especially with recurring queries because prepared statements are (pre-)compiled by the database engine and much more efficient to execute.