PHP 的内置 mysql_real_escape_string()
函数用作任何用户输入的包装器。这个函数对字符串中的字符进行转义,使字符串不可能传递撇号等特殊字符并让 MySQL 根据特殊字符进行操作。
$sql = "select count(*) as ctr from users where
username='foo' and password='' or '1'='1' limit 1";
$sql = "select count(*) as ctr from users where
username='".mysql_real_escape_string($username)."'
and password='". mysql_real_escape_string($pw)."' limit 1";
select count(*) as ctr from users where \
username='foo' and password='\' or \'1\'=\'1' limit 1"