<?php
mysql_connect("localhost","root","123");
mysql_select_db("test");
$sql='select user,pwd from table where user="'.$_POST['user'].'" and pwd="'.$_POST['password'].'";
$result = mysql_query($sql);
$row = mysql_num_rows($result);
if($row != 0)
{
header(.......);
........
mysql_connect("localhost","root","123");
mysql_select_db("test");
$sql='select user,pwd from table where user="'.$_POST['user'].'" and pwd="'.$_POST['password'].'";
$result = mysql_query($sql);
$row = mysql_num_rows($result);
if($row != 0)
{
header(.......);
........
但是对于SQL,需要从表单里取值的,都要用mysql_escape_string函数提防SQL注入危险。
<?php
mysql_connect("localhost","root","123");
mysql_select_db("test");
$sql='select user,pwd from table where user="'.mysql_escape_string($_POST['user']).'" and pwd="'.mysql_escape_string$_POST['password']).'";
$result = mysql_query($sql);
$row = mysql_num_rows($result);
if($row != 0)
{
header(.......);
........
$_GET = sql_injection($_GET);function sql_injection($content)
{
if (!get_magic_quotes_gpc()) {
if (is_array($content)) {
foreach ($content as $key=>$value) {
$content[$key] = addslashes($value);
}
} else {
addslashes($content);
}
}
return $content;
}