mysql_real_escape_string

2019年10月1日 199次阅读 来源: 搬砖大叔

CI中:

$this->db->select('*')->where("username","skcdian")->where("password","' OR ''='")->get("user")->result();

SELECT * FROM (user) WHERE username = ‘skcdian’ AND password = ‘\’ OR \’\’=\”

$password="'' OR ''='' ";
mysql_real_escape_string($password);

\’\’ OR \’\’=\’\’

$password="'' OR ''='' ";
$data1=$this->db->query("SELECT * FROM (user) WHERE username = 'skcdian' AND password = {$password};")->result();

CI\system\database\drivers\mysql\mysql_driver.php

function escape_str($str, $like = FALSE)
{
	if (is_array($str))
	{
		foreach ($str as $key => $val)
   		{
			$str[$key] = $this->escape_str($val, $like);
   		}

   		return $str;
   	}

	if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id))
	{
		$str = mysql_real_escape_string($str, $this->conn_id);
	}
	elseif (function_exists('mysql_escape_string'))
	{
		$str = mysql_escape_string($str);
	}
	else
	{
		$str = addslashes($str);
	}

	// escape LIKE condition wildcards
	if ($like === TRUE)
	{
		$str = str_replace(array('%', '_'), array('\\%', '\\_'), $str);
	}

	return $str;
}
    原文作者:搬砖大叔
    原文地址: https://segmentfault.com/a/1190000003095367
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞