下面的代碼是從一個教程採取:PHP:如何做單引號和雙引號一起工作
<?php
// user input that uses SQL Injection
$name_bad = "' OR 1'";
// our MySQL query builder, however, not a very safe one
$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
// display what the new query will look like, with injection
echo "Injection: " . $query_bad;
在前端,它表明:
Injection: SELECT * FROM customers WHERE username = '' OR 1''
問:
爲什麼它顯示username = '' OR 1''
?
@大衛 - 不,不要。 'mysql_ *'庫已被棄用,不應該被使用,[有更好的方法來防止SQL注入](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql -injection-in-php)而不是轉義。 – Quentin