PHP防止sql语句注入终极解决方案完美解决方案就是使用拥有Prepared Statement机制(预处理sql)的PDO //先做个实验 先不用预处理sql写法<pre><?php$pdo = new PDO('mysql:dbname=testdatabase;host=localhost;charset=utf8', 'root', 'root');$id='2 or 1=1';$stmt=$pdo->query('SELECT * FROM wz_admin WHERE
1: select *from user where username='admin' and password='123456' or 1='1'; 万能密码 2: select *from user where username='admin' union select *from user ;/* and password='123456'; 万能用户名