1.整数型参数，必须intval转义,用addslashes转义不行

<?php  


$test = $_REQUEST["test"];


$test = addslashes($test);


$sql =" select * from tbl1 where id=$test";


print $sql;

//输入test=1 or 1=1 得到 select * from tbl1 where id=1 or 1=1
被注入


?>

<?php  


$test = $_REQUEST["test"];


$test = intval($test);


$sql =" select * from tbl1 where id=$test";


print $sql;

//输入 test=1 or 1=1 得到 select * from tbl1 where id=1


?>


2.字符串型参数，必须addslashes转义


<?php  


$test = $_REQUEST["test"]; 


$sql =" select * from tbl1 where xxx='$test'";


print $sql;

//输入 test=1 or 1=1 得到 select * from tbl1 where xxx='1' or 1=1'  
被注入


?>

<?php  


$test = $_REQUEST["test"];


$test = addslashes($test);


$sql =" select * from tbl1 where xxx='$test'";


print $sql;

//输入 test=1 or 1=1 得到 select * from tbl1 where xxx='1\' or 1=1' 


?>


3.执行系统命令的，必须 escapeshellarg 转义


<?php  


$test = $_REQUEST["test"]; 


$cmd ="host ".$test;


print $cmd;

//输入test=www.baidu.com%26%26uname 得到 host www.baidu.com&&uname ,
越界命令被执行了


?>

<?php  


$test = $_REQUEST["test"]; 


$test = addslashes($test);


$cmd ="host ".$test;


print $cmd;

//输入test=www.baidu.com%26%26uname 得到 host www.baidu.com&&uname  ,
越界命令被执行了，addslashes不能防护shell注入


?>

<?php  


$test = $_REQUEST["test"]; 


$test = escapeshellarg($test);


$cmd ="host ".$test;


print $cmd;

//输入test=www.baidu.com%26%26uname 得到 host "www.baidu.com&&uname"


?>