SQL注入的原因是開發(fā)人員沒(méi)有對(duì)數(shù)據(jù)進(jìn)行嚴(yán)格的篩選,過(guò)濾以及書寫了不規(guī)范的sql語(yǔ)句。

例如：

已經(jīng)創(chuàng)建一張user表，存在一條數(shù)據(jù)username = 'cyx' password = '123'
在sql語(yǔ)句中對(duì)于\*和#都可以將后面的語(yǔ)句給注釋掉

<?php
 $host     = "127.0.0.1";
 $username = "root";
 $password = 123;
 $database = "game";
 $port     = 3306;
 $mysqli = new mysqli($host, $username, $password, $database,$port);
 if ($mysqli->connect_error) {
                die ("Connection error :".$mysqli->connect_error);
    }

 $username = "'cyx'#";//通過(guò)sql特性實(shí)現(xiàn)注入
 //$username = "'cyx' or 1=1";//通過(guò)邏輯實(shí)現(xiàn)簡(jiǎn)單注入
 $password = "12";
 $sql = "select * from user where username = $username and password=$password";//不規(guī)范的sql語(yǔ)句
 echo $sql;
 $res = $mysqli->query($sql);
 $mysqli->close();
 var_dump($res->num_rows);

解決方法：prepareStatement+Bind_Variable
PrepareStatement是預(yù)編譯的sql語(yǔ)句對(duì)象，sql語(yǔ)句被預(yù)編譯并保存在對(duì)象中。被封裝的sql語(yǔ)句代表某一類操作，語(yǔ)句中可以包含動(dòng)態(tài)參數(shù)“?”，在執(zhí)行時(shí)可以為“?”動(dòng)態(tài)設(shè)置參數(shù)值。

<?php
 $host     = "127.0.0.1";
 $username = "root";
 $password = 123;
 $database = "game";
 $port     = 3306;
 $mysqli = new mysqli($host, $username, $password, $database,$port);
 if ($mysqli->connect_error) {
                die ("Connection error :".$mysqli->connect_error);
    }

 $username = "'cyx";
 $password = "123";
 $sql = "select * from user where username = ? and password = ?";//綁定變量
 echo $sql;
 $res = $mysqli->prepare($sql);
 $res->bind_param("si", $username, $password);
 $res->execute();
 $id ="";
 $username = "";
 $password = "";
 $res->bind_result($id,$username,$password);
//顯示綁定結(jié)果的變量 
while($res->fetch()){
echo $id."--".$username."--".$password;//輸出 1-cyx-123
}
//關(guān)閉數(shù)據(jù)庫(kù)的鏈接 
$mysqli->close();