php不用pdo防止sql语句注入的方法
function getrepairsql($sql, $replacement, $isreturn = 0) { $count = substr_count($sql, '?'); $pattern = array_fill(0, $count, '/\?/'); foreach ($replacement as $k => $v) { if (!is_int($v)) { $replacement[$k] = "'" . $v . "'"; } } $res = preg_replace($pattern, $replacement, $sql, 1); if ($isreturn == 1) { return $res; } else { print_r($res); exit(); } }
$sql='select * from aa_copy_copy where id=?'; $sql=getrepairsql($sql,array($ss),1);
直接用替换法就可以了
如果是数字直接intval()就行了