在我看来，用户输入的内容将包含在单引号内

It seems to me like the input from the user would be contained inside the single quotes

除非您在发布的name中包含单引号，否则将使您不使用引号.例如，将名称发布为:

It would unless you include single quotes in the posted name, which would allow you to break out of the quotes. Example, post the name as:

' or 1 or '

WHERE子句变为:

The WHERE clause becomes:

WHERE id = '' or 1 or '';

由于or 1部分，这将匹配并检索表中的所有行.如您所见，它突破了引号，注入了一些SQL，然后又回到了引号中，以使查询有效.

This would match and retrieve all rows in the table because of the or 1 part. As you can see, it breaks out of the quotes to inject some SQL, then it goes back into the quotes to make the query valid.

您可以在一个mysqli_query语句中执行多个查询吗?

Can you execute more than one query in one mysqli_query statement?

否，但是如果使用mysqli_multi_query执行，则可以在末尾添加多个查询.

No, but if it was executed with mysqli_multi_query then yes you could add multiple queries on to the end.

使上述安全性与mysqli_real_escape_string一样容易吗?

通常是的，但是准备声明会更好.使用转义，WHERE子句将变为(使用上面的示例):

Generally yes but a Prepared Statement would be better. Using escaping, the WHERE clause would become (using my example above):

WHERE id = '\' or 1 or \'';

这不再是脆弱的，因为引号不能被打断，并且仅当name字面匹配' or 1 or '时才匹配行，这显然是不可能的.

This is no longer vulnerable because the quotes can't be broken out of, and would only match rows if the name literally matches ' or 1 or ' which is obviously unlikely.