SQL injection usually occurs because the syntax is not rigorous, the problem occurs on the SQL statement, and the decisive is quote ('). As follows:
$sql = "delete from table where id ='$id'" ;
The normal commit is to delete a piece of data, if the ID is submitted (1 ' or 1 #), then the SQL statement becomes
delete from table where id = '1'or 1 #';
In this way, the entire table will be deleted, resulting in irreversible results.
Since the problem appears on the quote, just escape it (\ ')
- PHP provides two functions to use
addslashes($str)//建议使用下面的,可以避免出现字符集问题mysql_real_escape_string($str,$link)
//避免整型数据可能不被sql增加引号,强制在转换后的数据使用引号包裹function($str){return"'".mysql_real_escape_string($str,$this->link)."'";}
'). addclass (' pre-numbering '). Hide (); $ (this). addclass (' has-numbering '). Parent (). append ($numbering); for (i = 1; i <= lines; i++) {$numbering. Append ($ ('
'). Text (i)); }; $numbering. FadeIn (1700); }); });
The above describes the PHP prevention of SQL injection, including the aspects of the content, I hope that the PHP tutorial interested in a friend helpful.