|
- if (get_magic_quotes_gpc())
- {
- $name = stripslashes($name);
- }
- $name = mysqli_real_escape_string($conn, $name);
- mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
复制代码 PHP 的MYSQL 扩展提供了 mysql_real_escape _string()
LIKe 语句的注入- $sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_");
- // $sub == \%something\_
- mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
复制代码- addcslashes() 函数在指定的字符前添加反斜杠。
复制代码
|
|