php°²È«-²»ÓùýÂËmysqlÓïÑÔ°²È«Âð£¿

PHPÖУ¬Ê¹ÓÃmysqlÊý¾Ý¿â,Linuxϵͳ¡£
ÔÚʹÓÃËÑË÷¹¦ÄÜʱ£¬Ö±½ÓÖ´ÐÐÕâÑùµÄÓï¾ä°²È«Âð£¿
$keyword=$_POST["keyword"];
$sql="select * from abc where a_name like '%$keyword%'";
$rs=mysql_query($sql);
.....

Èç¹û²»°²È«£¬Ó¦¸ÃÔõô¹ýÂË£¿Ð»Ð»

---

²»ÊÇ×ö¿ª·¢µÄ ¶ÔÕâ¸ö²»ÊìϤ

---

$keyword = trim($keyword);
$keyword = ereg_replace('([\'%;])', '\\\1', $keyword);

---

²»°²È«,¼ÙÈç±íµ¥ÊäÈë: \Ö®ÀàµÄ,sqlÓï¾ä¾Í³ö´í,¼ÙÈçû´¦ÀíºÃ±¨´í,Hacker¾Í¿ÉÒÔ¿´µ½Ô­Ê¼µÄsqlÓï¾ä,½øÒ»²½·ÖÎöÄãµÄ±í½á¹¹,È»ºó...

Ò»°ãÕâÑùŪÏÂÓ¦¸Ã¾Í¿ÉÒÔÁË:

$keyword=mysql_escape_string($_POST["keyword"]);

---

¶ÔÄãµÄkeywordµÄÄÚÈݽøÐмì²é¡£
±ÈÈ罫һЩΣÏÕ×Ö·û½øÐÐתÒ壬Èç¹ûȷʵÐèÒªlike ÕâЩΣÏÕ×Ö·ûÄǾÍÒªÁíÏë°ì·¨¡£
×ÜÖ®ÏÈ¿´Ò»ÏÂÊý¾Ý×¢ÈëÖ®ÀàµÄÎÄÕ¡£

---

Ö»ÒªÉæ¼°²Ù×÷Êý¾Ý¿âµÄ´úÂ룬 ²»¹ýÂ˶¼²»°²È«£¬ ³ý·ÇÄãÏëÁôºóÃÅ¡£

---

²»°²È«£¬È¥²Î¿¼Ò»Ï´óÐÍCMSµÄ²ÎÊý¹ýÂË£¬ºÜÈÝÒ×ÌáÈ¡³öÀ´µÄ

---

ÔÙ²¹³äһϣ¬´æÔÚSQL×¢È멶´

---

ÒýÓÃ

PHPÖУ¬Ê¹ÓÃmysqlÊý¾Ý¿â,Linuxϵͳ¡£
ÔÚʹÓÃËÑË÷¹¦ÄÜʱ£¬Ö±½ÓÖ´ÐÐÕâÑùµÄÓï¾ä°²È«Âð£¿
$keyword=$_POST["keyword"];
$sql="select * from abc where a_name like '%$keyword%'";
$rs=mysql_query($sql);
.....

Èç¹û²»°²È«£¬Ó¦¸ÃÔõô¹ýÂË£¿Ð»Ð»

$keyword=mysql_real_escape_string($_POST["keyword"]);//¿´ÊÖ²á×îºÃ£¬ÕâЩ·½ÃæµÄ֪ʶ¥Ö÷ËÑË÷һϣ¬SQL×¢Èë¡£
$sql="select * from abc where a_name