Fish Wang
says to
YSITD
搞不好他用mysql拼接字串,網頁輸出還完全沒escape就直接print在網頁裡啊