<?php
$conn2 = mysqli_connect('localhost','root','','test1');
$sqlstr = "select * from user where username = '" . $_POST['username'] . "'";
$result = mysqli_query($conn2,$sqlstr);
echo '<table width="400" border="1">';
while ($row = mysqli_fetch_assoc($result))
{
echo '<tr>';
echo '<td>';
echo $row['username'];
echo '</td>';
echo '<td>';
echo $row['password'];
echo '</td>';
echo '</tr>';
}
echo '</table>';
?>
$sqlstr = "select * from user where username = '" . $_POST['username'] . "'";
1 "select * from user where username = ' "
2 . $_POST['username'] .
3 " ' "
說明:
"select ...... ' " + $_POST['username']
+ " ' "
實際送出指令為
select * from user where username = ' $_POST['username']'
把字串拆成三段
1 select * from user where username = '
2 $_POST['username']
3 ’
最後 1、3 用雙引號包起來,再用句點把字串連起來。
沒有留言:
張貼留言