strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');"
惡意填入 userName = "1' OR '1'='1";與passWord = "1' OR '1'='1";時,將導(dǎo)致原本的SQL字符串被填為 strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1'); "
也就是實際上運行的SQL命令會變成下面這樣的strSQL = "SELECT * FROM users;"