http://www.victim.com/products.php?val=100 下列PHP脚本说明了如何将用户输入(vl)传递给动态创建的SQL语句。当请求上述URL 时，将会执行下列PHP代码段： /connect to the database Sconn mysql_connect ("localhost","username","password"); /dynamically build the sql statement with the input Squery "SELECT FROM Products WHERE Price 'GET["val"]". "ORDER BY ProductDescription"; /execute the query against the database Sresult mysql_query(Squery); /iterate through the record set while(Srow mysql_fetch_array(Sresult,MYSQL_ASSOC)) /display the results to the browser echo "Description {Srow['ProductDescription']}<br>". "Product ID (Srow['ProductID']<br>". "Price {Ssow['Price']}<br><br>"; chenkm@ustc.edu.cn 0551- 2022/11/8 36028245 chenkm@ustc.edu.cn 0551 - 2022/11/8 3602824