SQL注入的原因是開發(fā)人員沒有對數(shù)據(jù)進(jìn)行嚴(yán)格的篩選,過濾以及書寫了不規(guī)范的sql語句。

例如：

已經(jīng)創(chuàng)建一張user表，存在一條數(shù)據(jù)username = 'cyx' password = '123'
在sql語句中對于\*和#都可以將后面的語句給注釋掉

<?php
 $host     = "127.0.0.1";
 $username = "root";
 $password = 123;
 $database = "game";
 $port     = 3306;
 $mysqli = new mysqli($host, $username, $password, $database,$port);
 if ($mysqli->connect_error) {
                die ("Connection error :".$mysqli->connect_error);
    }

 $username = "'cyx'#";//通過sql特性實現(xiàn)注入
 //$username = "'cyx' or 1=1";//通過邏輯實現(xiàn)簡單注入
 $password = "12";
 $sql = "select * from user where username = $username and password=$password";//不規(guī)范的sql語句
 echo $sql;
 $res = $mysqli->query($sql);
 $mysqli->close();
 var_dump($res->num_rows);

解決方法：prepareStatement+Bind_Variable
PrepareStatement是預(yù)編譯的sql語句對象，sql語句被預(yù)編譯并保存在對象中。被封裝的sql語句代表某一類操作，語句中可以包含動態(tài)參數(shù)“?”，在執(zhí)行時可以為“?”動態(tài)設(shè)置參數(shù)值。

<?php
 $host     = "127.0.0.1";
 $username = "root";
 $password = 123;
 $database = "game";
 $port     = 3306;
 $mysqli = new mysqli($host, $username, $password, $database,$port);
 if ($mysqli->connect_error) {
                die ("Connection error :".$mysqli->connect_error);
    }

 $username = "'cyx";
 $password = "123";
 $sql = "select * from user where username = ? and password = ?";//綁定變量
 echo $sql;
 $res = $mysqli->prepare($sql);
 $res->bind_param("si", $username, $password);
 $res->execute();
 $id ="";
 $username = "";
 $password = "";
 $res->bind_result($id,$username,$password);
//顯示綁定結(jié)果的變量 
while($res->fetch()){
echo $id."--".$username."--".$password;//輸出 1-cyx-123
}
//關(guān)閉數(shù)據(jù)庫的鏈接 
$mysqli->close();