别人账号表单中填写 ' or 1=1 /* 密码随便填 那么那条sql就成了where username='' or 1=1 条件成立,登录成功 可以多一步,先取账号, 账号通过后再对比账号 $sql ="select username password from user where username=" .$user; if($sql && $sql["password"]==$pas){ }
You change the sql statement to
"SELECT username,password FROM user WHERE username=".$user." ADN password =".$psw;
It is recommended to re-learn string splicing and the difference between single quotes and double quotes.
You can search for related tutorials in the search box in the upper right corner of the PHP Chinese website
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
别人账号表单中填写 ' or 1=1 /* 密码随便填 那么那条sql就成了where username='' or 1=1 条件成立,登录成功 可以多一步,先取账号, 账号通过后再对比账号 $sql ="select username password from user where username=" .$user; if($sql && $sql["password"]==$pas){ }You change the sql statement to
It is recommended to re-learn string splicing and the difference between single quotes and double quotes.
You can search for related tutorials in the search box in the upper right corner of the PHP Chinese website