Haohappy
http://blog.csdn.net/Haohappy2004
SQL injection attack is the most common method used by hackers to attack websites. If your site does not use strict user input validation, it is very vulnerable to SQL injection attacks. SQL injection attacks are usually implemented by submitting bad data or query statements to the site database, which may cause records in the database to be exposed, changed or deleted. Let’s talk about how SQL injection attacks are implemented and how to prevent them.
Look at this example:
// supposed input
$name = "ilia'; DELETE FROM users;";
mysql_query("SELECT * FROM users WHERE name='{$name}'");
It is obvious that the last command executed by the database is:
SELECT * FROM users WHERE name=ilia; DELETE FROM users
This had disastrous consequences for the database - all records were deleted.
But if the database you are using is MySQL, then fortunately, the mysql_query() function does not allow you to directly perform such operations (multiple statement operations cannot be performed in a single line), so you can rest assured. If the database you are using is SQLite or PostgreSQL and supports such statements, you will face disaster.