【モバイル】携帯電話 ..
324:nobodyさん
06/09/08 19:52:19
>>323
Quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_escape_string(), sql_escape_string(), etc.).
If a database-specific string escape mechanism is not available, the addslashes() and str_replace() functions may be useful (depending on database type).
See the first example. As the example shows, adding quotes to the static part of the query is not enough, making this query easily crackable.
次ページ最新レス表示スレッドの検索類似スレ一覧話題のニュースおまかせリスト▼オプションを表示暇つぶし2ch
4988日前に更新/172 KB
担当:undef