mysql_real_escape_string
CI中:
$this->db->select('*')->where("username","skcdian")->where("password","' OR ''='")->get("user")->result(); SELECT * FROM (user) WHERE username = 'skcdian' AND password = '\' OR \'\'=\''
$password="'' OR ''='' ";mysql_real_escape_string($password);\'\' OR \'\'=\'\'
$password="'' OR ''='' ";$data1=$this->db->query("SELECT * FROM (user) WHERE username = 'skcdian' AND password = {$password};")->result();CI\system\database\drivers\mysql\mysql_driver.phpfunction escape_str($str, $like = FALSE){ if (is_array($str)) { foreach ($str as $key => $val) { $str[$key] = $this->escape_str($val, $like); } return $str; } if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id)) { $str = mysql_real_escape_string($str, $this->conn_id); } elseif (function_exists('mysql_escape_string')) { $str = mysql_escape_string($str); } else { $str = addslashes($str); } // escape LIKE condition wildcards if ($like === TRUE) { $str = str_replace(array('%', '_'), array('\\%', '\\_'), $str); } return $str;}