To prevent injection, after the SQL query statement is escaped with addslashes, the statement syntax is faulty.

A php + mysql project has a user named admin and the password is admin. The query statement is: {code ...} then query: {code ...} because SQL injection is prevented, we want to escape all SQL statements before querying them. So we escaped $ SQL statements using addslashes... [a php + mysql project]
There is a user whose username is admin and whose password is admin.
The query statement is:

$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Then query:

$ Res = mysql_query ($ SQL );...... Omitted

Because SQL injection is prevented, we want to escape all SQL statements before querying them. Therefore, we escaped $ SQL statements with addslashes, but an error occurred.

$sql=addslashes($sql);$res=mysql_query($sql);

Use admin and admin to log on smoothly before the line of code without escaping.
After logging on with admin and admin, the following errors are captured. How can this problem be solved?

Error code: 1064 error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\ 'admin \' and a_password = \ '21232f297a57a5a743894a0e4a801fc3 \ 'at line 1

Thank you!

Reply content:

[A php + mysql project]
There is a user whose username is admin and whose password is admin.
The query statement is:

$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Then query:

$ Res = mysql_query ($ SQL );...... Omitted

Because SQL injection is prevented, we want to escape all SQL statements before querying them. Therefore, we escaped $ SQL statements with addslashes, but an error occurred.

$sql=addslashes($sql);$res=mysql_query($sql);

Use admin and admin to log on smoothly before the line of code without escaping.
After logging on with admin and admin, the following errors are captured. How can this problem be solved?

Error code: 1064 error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\ 'admin \' and a_password = \ '21232f297a57a5a743894a0e4a801fc3 \ 'at line 1

Thank you!

Juvenile, PDO is king. mysqli is also OK.

php$db = new PDO('mysql:host=127.0.0.1;dbname=test;charset=utf8','root','rootpass');$stm = $db->prepare("select * from test where field = :value");$stm->bindValue(':value',$_GET['field'],PDO::PARAM_STR);$stm->execute();$rows = $stm->fetchAll(PDO::FETCH_ASSOC);var_dump($rows);

You can use mysqli.

php$db = new mysqli('127.0.0.1','root','rootpass','database_name');$stmt = $db->prepare("select * from test where field = ?");$stmt->bind_param('s',$_GET['field']);$stmt->execute();$rows = array();while ($row = $stmt->fetch()) array_push($rows,$row);var_dump($rows);

If the application only uses preprocessing statements, it can ensure that SQL injection is not performed.
------ Php manual preprocessing statement

Give up writing mysql_query, use pdo, and do not use addslashes, mysqli or pdo has a ready-made escape Method

$username = 'aaa';$password = 'bbb';$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";echo addslashes($sql);select * from table_project where a_username=\'aaa\' and a_password=\'bbb\';

The single quotation marks used to enclose strings are escaped. Of course, an error is returned.

We recommend that you use PDO.

Okay, I am white.
I escaped the username variable without escaping the entire SQL statement.

$username=addslashes($username);$password=md5($password);$sql="select * from table_project where...;";

The password is converted to md5, and the user name is escaped with addslashes, and then saved to the SQL statement for query. It seems like this is the case.
I don't know if this is the case in a general project?

php$username=mysql_real_escape_string($username);$password=mysql_real_escape_string($password);$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Use PDO and parameterized query. Do not concatenate strings. Note: To use PDO, you must first enable this function in php. ini.

You cannot escape the entire SQL statement. You only need to escape variables.

    $username=addslashes($username);    $sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

The addslashes () function adds a backslash before the specified predefined character.
The predefined characters are:
Single quotes (')
Double quotation marks (")
Backslash ()
NULL
The significance of adding \ is that mysql treats it as a string.

You cannot perform $ SQL. If you perform addslashes on the entire $ SQL statement, you can print your SQL statement, which is definitely incorrect.