The principle is simple. There are only a few character types in the database. We usually use numeric values, strings, and time. We generally use numeric values and strings for queries. The string Query format is where field = 'query condition', which cannot be injected here, because a single quotation mark is added here, and the query condition is converted to the string type, rather than a valid SQL statement. The injection vulnerability exists in the query condition without single quotation marks, that is, the numerical query condition. Here, the Query format is where field = the query condition does not have single quotation marks, and the injection vulnerability occurs. Next, we will fix this vulnerability. The traditional method is to shield injection characters, but it causes a lot of inconvenience. Now I will teach you two new methods. 1. Add single quotation marks: the Query format is changed to where cstr (field) = 'query condition'. Here, the content to be queried in the database is converted to a string, so single quotation marks must be added at the end, injection is prevented here. 2. First, check the type of the query condition: Use the isnumeric () function to check whether it is a numeric value. If it is executed again, perform database operations. All strings are eliminated here, not to mention injecting characters. I hope it will help you. Continued: The where field = query condition in the numeric query in the database query. No single quotation marks are allowed here, unless in this case where cstr (field) = 'query condition 'method 1. Let's talk about it, I think it seems a problem. Issue 2 I think is feasible. Method 1: I thought of it temporarily. I found it for a while, and I am using it. It is very good.