MYSQL 的防SQL注入
if (get_magic_quotes_gpc()){
$name = stripslashes($name);
}
$name = mysqli_real_escape_string($conn, $name);
mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");PHP 的MYSQL扩展提供了 mysql_real_escape _string()
LIKe 语句的注入
$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_");
// $sub == \%something\_
mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");addcslashes() 函数在指定的字符前添加反斜杠。
页:
[1]