Mysql安全性測試

<?php           // 1.連接數據庫    $conn = mysql_connect(&#39;127.0.0.1:3306&#39;, &#39;root&#39;, &#39;518666&#39;);    if (!$conn)    {      die("Could not connect:" . mysql_error());    }      // 2.選擇數據庫    mysql_select_db(&#39;mysql_safe&#39;, $conn);        // 3.設置編碼,注意這里是utf8而不是utf-8,如果寫后者，MySQL不會識別的，會出現亂碼的。    mysql_query("SET NAMES utf8");      $title    = "我們的愛情";    $content  = &#39;你是/誰啊，大幾都"老梁"做做&>women<a>沒';  ??$add_time?=?date("Y-m-d?H:i:s");    ??//?轉義字符  ??$content?=?mysql_real_escape_string($content);  ??$content?=?htmlspecialchars($content,?ENT_COMPAT);  ??//?你是/誰啊，大幾都做做&amp;&gt;women</a><a>沒???//?自動過濾反斜杠  /*  ??//?4.插入一條數據  ??$insert_sql?=?"insert?into?post_tbl?(title,?content,?user_id,?add_time)?values?('{$title}',?'{$content}',?'4742551',?'{$add_time}')";  ?if(mysql_query($insert_sql))  ??{  ????echo?'ok';    ??}  ??else  ??{  ????echo?"Error?:?"?.?mysql_error();  ??}  ???$ret?=?mysql_affected_rows();  ??print_r($ret);  ??*/  ???//?5.PDO預處理插入  ???//?PDO（PHP?Data?Object）則是提供了一個?Abstraction?Layer?來操作數據庫  ????//?查詢  ????$user_id??=?174742;  ????$password?=?"''or?'1=1'"?;  ????$sql?=?"select?*?from?post_tbl?where?user_id?=?{$user_id}?and?password?=?{$password}";    ????print_r($sql);  ????$query??=?mysql_query($sql);  ????//?$result?=?mysql_fetch_array($query);    ????$rows?=?array();  ????while($row=mysql_fetch_array($query))  ????{  ?????????$rows[]?=?$row;  ????}    ???  ????print_r(?$rows);          ??//?關閉數據庫連接  ??mysql_close($conn);    /*    $str?=?"Bill?&amp;?'Steve'";  echo?htmlspecialchars($str,?ENT_COMPAT);?//?只轉換雙引號  echo?"<br>";  echo?htmlspecialchars($str,?ENT_QUOTES);?//?轉換雙引號和單引號  echo?"<br>";  echo?htmlspecialchars($str,?ENT_NOQUOTES);?//?不轉換任何引號  */    /*  以上代碼的?HTML?輸出如下（查看源代碼）：  nbsp;html&gt;      Bill?&amp;?'Steve'<br>  Bill?&amp;?'Steve'<br>  Bill?&amp;?'Steve'      以上代碼的瀏覽器輸出：  Bill?&amp;?'Steve'  Bill?&amp;?'Steve'  Bill?&amp;?'Steve'  */    ??function?mforum_html_tag_to_html_entity($content)  {  ??$content?=?(string)trim($content);  ??if(empty($content))?return?'';  ??//?$content?=?str_replace('?',?'?',?$content);  ??$content?=?htmlspecialchars($content,?ENT_COMPAT,?GB2312,?false);  ??$content?=?str_replace("&gt;",?"&gt;",?$content);  ??$content?=?str_replace("<p style="box-sizing: border-box; font-family: " helvetica neue arial sc sans gb micro hei yahei sans-serif font-weight: line-height: color: rgb margin: font-size: white-space: normal background-color:>二、PDO處理的SQL語句</p> <pre class="brush:php;toolbar:false"><?php       // PDO的使用  // http://blog.csdn.net/qq635785620/article/details/11284591  $dbh = new PDO(&#39;mysql:host=127.0.0.1:3306;dbname=mysql_safe&#39;, &#39;root&#39;, &#39;518666&#39;);      $dbh->setAttribute(PDO::ATTR_ERRMODE,?PDO::ERRMODE_EXCEPTION);????  $dbh-&gt;exec('set?names?utf8');???    $title????=?"我們的愛情";  $content??=?'你是/誰啊，大幾都"老梁"做做&amp;&gt;women<a>沒'?.?"?測試打印號'我是單引號'哈哈";  $user_id??=?174742;  $add_time?=?date("Y-m-d?H:i:s");    //?$insert_sql?=?"insert?into?post_tbl?(title,?content,?user_id,?add_time)?values?(:x_title,?:x_content,?:x_user_id,?:x_add_time)";    //?$stmt?=?$dbh-&gt;prepare($insert_sql);?  //?$stmt-&gt;execute(array('x_title'=&gt;$title,':x_content'=&gt;?$content,?':x_user_id'?=&gt;?$user_id,?':x_add_time'?=&gt;?$add_time));????    //?查詢  $user_id??=?"17474#";  //?$password?=?"''or?'1=1'";  ?$password?=?123456;  $sql?=?'select?*?from?post_tbl?where?user_id?=?:x_user_id?and?password?=?:x_password';  $stmt?=?$dbh-&gt;prepare($sql);????  $stmt-&gt;execute(array(':x_user_id'=&gt;$user_id,?':x_password'?=&gt;?$password));????    $rows?=?array();  while($row?=?$stmt-&gt;fetch(PDO::FETCH_ASSOC))  {???  ???$rows[]?=?$row;????  ????  }???  print_r($rows);????    //?echo?$dbh-&gt;lastinsertid();</a>