简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Q&A  >  body text

mysql - Can sql injection be avoided by simply escaping single quotes and backslashes without using a prepare statement?

For example, if I enter the login name login_name as \', I will spell out this SQL: 

  SELECT * FROM account WHERE (1) AND (`account`.login_name = '\\'')

Enter the login name login_name as ' or 1 = 1 to spell out this SQL: 

SELECT * FROM account WHERE (1) AND (`account`.login_name = '\' or 1 = 1')

Can this avoid sql injection?

PHPzPHPz2710 days ago748

reply all(1)I'll reply

  • PHPz

    PHPz2017-05-18 10:50:57

    No, suppose login_name is ' or 1 = 1, what is the result after escaping?

    reply
    0
  • Cancelreply