第一种:
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<?php
include("conn.php");
function inject_check($sql_str)
{
return preg_match("/select|insert|update|delete|and|or|count|from|exists|>|<|=|\'|\"|\`|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile/i",$sql_str); // 进行关键字过滤
}
if(!empty($_GET['id'])){
if (inject_check($_GET['id'])) exit('<script>window.location.href="index.php"</script>');
}
$sql = "select * from `content` where `Cid` ='".intval($_GET['id'])."'";
$rs=@mysql_query($sql);
if($row=mysql_fetch_assoc($rs)){
echo "<meta http-equiv='content-type' content='text/html charset=utf-8'>";echo "<p align='center'>{$row['Ctitle']}</p>";
echo "<P>{$row['Content']}</P>"; }?>-------------------------------------------------------------------
第二种:<meta http-equiv="content-type" content="text/html; charset=utf-8">
<?php
$link = mysqli_connect("localhost","root","","html");
if (mysqli_connect_errno()) {
printf ("连接失败", mysqli_connect_error());
exit();
}
$id=intval($_GET['id']);
$query = "select * from content where Cid='$id'"; if ($result = mysqli_query($link, $query)) { while ($row = mysqli_fetch_object($result)) {
echo "<meta http-equiv='content-type' content='text/html charset=utf-8'>";
echo '<P align="center">'.$row->Ctitle.'</p>';echo '<P>'.$row->Content.'</P>';
} mysqli_free_result($result);
}
mysqli_close($link);
?>phpsql注入mysqli
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<?php
include("conn.php");
function inject_check($sql_str)
{
return preg_match("/select|insert|update|delete|and|or|count|from|exists|>|<|=|\'|\"|\`|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile/i",$sql_str); // 进行关键字过滤
}
if(!empty($_GET['id'])){
if (inject_check($_GET['id'])) exit('<script>window.location.href="index.php"</script>');
}
$sql = "select * from `content` where `Cid` ='".intval($_GET['id'])."'";
$rs=@mysql_query($sql);
if($row=mysql_fetch_assoc($rs)){
echo "<meta http-equiv='content-type' content='text/html charset=utf-8'>";echo "<p align='center'>{$row['Ctitle']}</p>";
echo "<P>{$row['Content']}</P>"; }?>-------------------------------------------------------------------
第二种:<meta http-equiv="content-type" content="text/html; charset=utf-8">
<?php
$link = mysqli_connect("localhost","root","","html");
if (mysqli_connect_errno()) {
printf ("连接失败", mysqli_connect_error());
exit();
}
$id=intval($_GET['id']);
$query = "select * from content where Cid='$id'"; if ($result = mysqli_query($link, $query)) { while ($row = mysqli_fetch_object($result)) {
echo "<meta http-equiv='content-type' content='text/html charset=utf-8'>";
echo '<P align="center">'.$row->Ctitle.'</p>';echo '<P>'.$row->Content.'</P>';
} mysqli_free_result($result);
}
mysqli_close($link);
?>phpsql注入mysqli
第二个是不能防sql注入的,你没有用prepare预处理语句。其实最简单还是用pdo和mysqli 的预处理语句和参数化查询。当然mysql也是可以的。