PHP搜索中的sql注入
----------------------------------------------------------------------------------------- 防止查询的sql攻击 = 对关键词进行过滤(代码局部) $k = $_REQUEST['k']; $k = addslashes($k); //转义:单引号,双引号,反斜线,NULL $k = str_replace('%',
-----------------------------------------------------------------------------------------
防止查询的sql攻击 => 对关键词进行过滤(代码局部)
$k = $_REQUEST['k'];
$k = addslashes($k); //转义:单引号,双引号,反斜线,NULL
$k = str_replace('%', '\%', $k);
$k = str_replace('_', '\_', $k);
$sql = "select * from users where name like '%$k%'";
if(!empty($k)){
$res = mysql_query($sql, $con) or die(mysql_error());
if($row = mysql_fetch_assoc($res)){
foreach($row as $k=>$v){
echo $row[$k].':'.$row[$v].'
';
}
}
}else{
echo '******';
}
Link: http://www.cnblogs.com/farwish/p/3803811.html
@黑眼诗人