-- 你的程序设计是这个样子的: -- $id=“100” select ....from... where ID = '100' ; -- SQL注入的结果是下面的样子: -- $id = "100' or '1' ='1" select .... from .... where ID ='100' or '1' ='1'
<?php include "../admin/connss.php"; $id=INTVAL($_GET[id]); $sql=mysql_query("select * from news where id='$id'"); $row = mysql_fetch_array($sql); ?>
请问,如果我用mysql数据库,只需mysql_real_escape_string,不进行其他操作就可以防止mysql注入吗?
-- 你的程序设计是这个样子的:
-- $id=“100”
select ....from... where ID = '100' ;
-- SQL注入的结果是下面的样子:
-- $id = "100' or '1' ='1"
select .... from .... where ID ='100' or '1' ='1'
include "../admin/connss.php";
$id=INTVAL($_GET[id]);
$sql=mysql_query("select * from news where id='$id'");
$row = mysql_fetch_array($sql);
?>