How to securely filter user-submitted data submissions to the database

SQL injection is always all-pervasive (PS: ' or 1=1#), how is it safe to filter (I use PHP and mysql_connect)?

Reply content:

SQL injection is always all-pervasive (PS: ' or 1=1#), how is it safe to filter (I use PHP and mysql_connect)?

You can use mysql_real_escape_string() to escape a string and then put it in SQL.

$name = mysql_real_escape_string($_POST['name']);mysql_query('SELECT * FROM `users` WHERE `name` = "'.$name.'"');//改进版。防 SQL 注入，同时屏蔽 _ 和 % 字符function escape($str) {  $str = mysql_real_escape_string($str);  $str = str_replace(['_', '%'], ['\\_', '\\%'], $str);  return $str;}

Here is the official introduction: http://www.php.net/manual/zh/function.mysql-real-escape-string.php

Personal advice or use a web framework, the common web framework has a perfect anti-injection mechanism.
For example:
Simple, Quick start: CodeIgniter
More versatile: Yii (this website is sometimes wall)

select * from users where name = @name

A parameterized query (parameterized query or parameterized Statement) is the use of parameters (Parameter) to give values when accessing a database, where values or data need to be populated.

In the case of parameterized queries, the database server does not treat the contents of the parameter as part of the SQL instruction, but only runs the parameters after the database has completed compiling the SQL instructions, so that even if the parameters contain instructions, they will not be run by the database. Commonly used databases such as Access, SQL Server, MySQL, SQLite support parameterized queries.

