For anti-injection, there is a problem with the statement syntax after the SQL query statement is escaped addslashes

"A project of Php+mysql"
There is a user, username is admin, password is admin.
The query statements are:

$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Then query:

$res=mysql_query($sql);……省略

Because of preventing SQL injection, I wanted to escape before the SQL statement query, so I escaped with Addslashes to the $sql statement, but it went wrong.

$sql=addslashes($sql);$res=mysql_query($sql);

You can log in with Admin,admin before the line of code that is escaped is added.
Add, after using Admin,admin login, catch the following error, ask Daniel how to break?

错误编号：1064错误内容：You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1

Thanks a lot!

Reply content:

"A project of Php+mysql"
There is a user, username is admin, password is admin.
The query statements are:

$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Then query:

$res=mysql_query($sql);……省略

Because of preventing SQL injection, I wanted to escape before the SQL statement query, so I escaped with Addslashes to the $sql statement, but it went wrong.

$sql=addslashes($sql);$res=mysql_query($sql);

You can log in with Admin,admin before the line of code that is escaped is added.
Add, after using Admin,admin login, catch the following error, ask Daniel how to break?

错误编号：1064错误内容：You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1

Thanks a lot!

A teenager, PDO is the king. Mysqli is OK.

php$db = new PDO('mysql:host=127.0.0.1;dbname=test;charset=utf8','root','rootpass');$stm = $db->prepare("select * from test where field = :value");$stm->bindValue(':value',$_GET['field'],PDO::PARAM_STR);$stm->execute();$rows = $stm->fetchAll(PDO::FETCH_ASSOC);var_dump($rows);

No mysqli can do.

php$db = new mysqli('127.0.0.1','root','rootpass','database_name');$stmt = $db->prepare("select * from test where field = ?");$stmt->bind_param('s',$_GET['field']);$stmt->execute();$rows = array();while ($row = $stmt->fetch()) array_push($rows,$row);var_dump($rows);

If your application uses only preprocessing statements, you can ensure that SQL injection does not occur.
------PHP Manual preprocessing statements

Give up mysql_query, use PDO, and also recommend not to use ADDSLASHES,MYSQLI or PDO has a ready-made escape method

$username = 'aaa';$password = 'bbb';$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";echo addslashes($sql);select * from table_project where a_username=\'aaa\' and a_password=\'bbb\';

The single quotation mark used to wrap the string is escaped, of course the error is.

It is also recommended to use PDO

All right, I'm a little white.
I escaped in the username variable, and I didn't escape the entire SQL statement, and then I was good.

$username=addslashes($username);$password=md5($password);$sql="select * from table_project where...;";

The password is MD5 converted, the user name is escaped with Addslashes, and then put in the SQL statement query, it seems that this is the line.
Do not know the general project is not the same way to deal with AH?

php$username=mysql_real_escape_string($username);$password=mysql_real_escape_string($password);$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Use PDO, parameterized queries, and do not use stitching strings. Note that using PDO requires that the function be first opened in php.ini

You cannot escape the entire SQL statement, only the variables that need to be escaped.

    $username=addslashes($username);    $sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

The Addslashes () function adds a backslash before the specified predefined character.
These predefined characters are:
Single quotation mark (')
Double quotation marks (")
Back slash ()
Null
and the meaning of adding \ is that MySQL treats it as a string.

You are not allowed to $sql. If you addslashes the entire $sql, you can print out your SQL statement, which is definitely not correct.

