addslashes, mysql_real_escape_string并不能防止SQL注入!!!
先看代码… <?php header('Content-Type: text/html; charset=GBK'); $input = chr(0xbf) . chr(0x27) . ' OR username = username; /*'; $value = addslashes($input); $sql = "SELECT * FROM users WHERE username='{$value}' AND password='123123';"; echo $value; echo '<br>'; echo $sql; echo '<br>'; 以上的demo, 输出结果为: 你也许会疑问,