您应该使用单引号和mysql_real_escape_string http://php.net/manual/en/function.mysql-real-escape-string.php或搬进PDO http://php.net/manual/en/book.pdo.php.
mysql_real_escape_string 将负责清理要存储在数据库中的不干净变量,单引号将阻止其中的任何执行。
这是一个例子:
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
PDO的例子:
$dbh = new PDO('mysql:dbname=your_database;host=your_host', $user, $password);
$stmt = $dbh->prepare('SELECT * FROM users WHERE user = :username AND password = :password');
$stmt->execute(array('username' => $user, 'password' => $password));
如果您没有正确清理要存储的数据,您可能会遭受 SQL 注入。
例如一个普通的查询
SELECT * FROM users WHERE user = 'test'
注入查询:
SELECT * FROM users WHERE user = 'anything' OR 'x'='x'
另一个例子:
SELECT * FROM users WHERE user = ' '; DROP TABLE users
有关 SQL 注入攻击的更多信息 http://www.php.net/manual/en/security.database.sql-injection.php: SQL注入预防 http://www.learnphponline.com/security/sql-injection-prevention-mysql-php, MySQL注入 http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
为什么应该使用 php 的 PDO 进行数据库访问 http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/