所以,我有这段代码:
<?php
include '../config.php';
$query=$_GET['q'];
//replace
echo str_replace('\','',$query);
$sql=mysql_query($query) or die("Query not executed!");
echo $query;
echo "\n //executed";
mysql_close();
?>
问题出在$ _GET上,例如当使用'时,示例:“UPDATE users set coins = 3 WHERE username ='admin'TROURURNS:”update users set coins = 3 where username = \'admin \' =&gt;应该是'admin'“”
答案 0 :(得分:0)
我建议您使用String Explode
而不是字符串替换语法:array explode ( string $delimiter , string $string [, int $limit ] )
您可以查看here