查询
select * from users
where username='lisi'-- ' and `password`='123';
登陆账号:'lisi'--
删除
select * from users
where username='lisi'; delete from users; -- ' and `password`='123';
登录账号:'lisi'; delete from users; --
这样就可以查询,删除我们的表格,不需要密码,这样就狠危险
解决方式:所有拼接sql语句的变量都escape处理一下
escape: mysql.escape
username = escape(username);
password = escape(password);
escape处理结果:会把引号转义
select username,realname from users where username='zhangsan\'-- ' and password='123111'