php + mysql时的防注入

Leave a Comment / Non-Java Language / June 11, 2013

有两种办法,一是在写入前转义,二是使用mysqli扩展中的prepared statement

1. 写入前转义 

// what's 将变成 what\'s
$title =  mysql_real_escape_string($_POST['title']); 
// 存到数据库后查看它,会变回what's

2. prepared statement

待补充

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.