PHP SQL Injection 攻擊防護


會產生  SQL Injection 的問題


要預防SQL Injection的方法


2.當要寫入資料庫時,先用 mysql_real_escape_string() 函數過濾


member_account  = (使用者帳號)

member_password = (使用者密碼)

“select * from member where member_account=’ ” + member_account + ” ‘ and member_password=’ ” + member_password + “‘”;


member_account   =  ’ or ’1′=’1

member_password  =  ’ or ’1′=’1


member_account   = mysql_real_escape_string(member_account);

member_password  =  mysql_real_escape_string(member_password);


“select * from member where member_account=’ \‘ or\ ’1\′=\’1′ and member_password=’ \ ’ or\ ’1\′=\’1′ “;

如此此SQL Injection攻擊就會失效

1 則迴響於《PHP SQL Injection 攻擊防護

  1. Hello there I am so thrilled I found your web site, I really found you by accident, while I was searching on Aol for something else, Anyhow I am here now and would just like to say kudos for a remarkable post and a all round interesting blog (I also love the theme/design), I don抰 have time to read through it all at the minute but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the awesome job.