http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
这是个防止sql注入的一个问题。这个问题有点看不懂,
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
这个是怎么做到sql注入的,一条查询语句可以执行insert to 语句和drop table 语句??
The parameter passed in
is
value'); DROP TABLE table;--
. Do you understand?mysql_query cannot execute multiple statements, but it can be used by updatexml and extendvalue to obtain other data information.
Reference: Use insert, update and delete injection to obtain data