Mysql security testing-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

Mysql security testing

高洛峰

Nov 21, 2016 pm 04:30 PM

mysql

一、没有进行预处理的SQL语句

<?php
    
    // 1.连接数据库
  $conn = mysql_connect(&#39;127.0.0.1:3306&#39;, &#39;root&#39;, &#39;518666&#39;);
  if (!$conn)
  {
    die("Could not connect:" . mysql_error());
  }

  // 2.选择数据库
  mysql_select_db(&#39;mysql_safe&#39;, $conn);


  // 3.设置编码,注意这里是utf8而不是utf-8,如果写后者，MySQL不会识别的，会出现乱码的。
  mysql_query("SET NAMES utf8");

  $title    = "我们的爱情";
  $content  = &#39;你是/谁啊，大几\都"老梁"做做&>women<a>没&#39;;
  $add_time = date("Y-m-d H:i:s");

  // 转义字符
  $content = mysql_real_escape_string($content);
  $content = htmlspecialchars($content, ENT_COMPAT);
  // 你是/谁啊，大几都做做&>women<a>没   // 自动过滤反斜杠
/*
  // 4.插入一条数据
  $insert_sql = "insert into post_tbl (title, content, user_id, add_time) values (&#39;{$title}&#39;, &#39;{$content}&#39;, &#39;4742551&#39;, &#39;{$add_time}&#39;)";
 if(mysql_query($insert_sql))
  {
    echo &#39;ok&#39;;

  }
  else
  {
    echo "Error : " . mysql_error();
  }
   $ret = mysql_affected_rows();
  print_r($ret);
  */
   // 5.PDO预处理插入
   // PDO（PHP Data Object）则是提供了一个 Abstraction Layer 来操作数据库
    // 查询
    $user_id  = 174742;
    $password = "&#39;&#39;or &#39;1=1&#39;" ;
    $sql = "select * from post_tbl where user_id = {$user_id} and password = {$password}";

    print_r($sql);
    $query  = mysql_query($sql);
    // $result = mysql_fetch_array($query);

    $rows = array();
    while($row=mysql_fetch_array($query))
    {
         $rows[] = $row;
    }

   
    print_r( $rows);




  // 关闭数据库连接
  mysql_close($conn);

/*

$str = "Bill & &#39;Steve&#39;";
echo htmlspecialchars($str, ENT_COMPAT); // 只转换双引号
echo "<br>";
echo htmlspecialchars($str, ENT_QUOTES); // 转换双引号和单引号
echo "<br>";
echo htmlspecialchars($str, ENT_NOQUOTES); // 不转换任何引号
*/

/*
以上代码的 HTML 输出如下（查看源代码）：
<!DOCTYPE html>
<html>
<body>
Bill & &#39;Steve&#39;<br>
Bill & &#039;Steve&#039;<br>
Bill & &#39;Steve&#39;
</body>
</html>
以上代码的浏览器输出：
Bill & &#39;Steve&#39;
Bill & &#39;Steve&#39;
Bill & &#39;Steve&#39;
*/

  function mforum_html_tag_to_html_entity($content)
{
  $content = (string)trim($content);
  if(empty($content)) return &#39;&#39;;
  // $content = str_replace(&#39; &#39;, &#39; &#39;, $content);
  $content = htmlspecialchars($content, ENT_COMPAT, GB2312, false);
  $content = str_replace(">", ">", $content);
  $content = str_replace("<", "<", $content);
  $content = str_replace("\"", """, $content);
  $content = preg_replace("/\\\$/", "&#036;", $content);
  $content = preg_replace("/\r/", "", $content);
  $content = str_replace("!", "&#33;", $content);
  $content = str_replace("&#39;", "&#39;", $content);
  $content = preg_replace("/\\\/", "&#092;", $content);

  // 内容敏感词过滤
  return $content;
}

二、PDO处理的SQL语句

<?php  

// PDO的使用
// http://blog.csdn.net/qq635785620/article/details/11284591
$dbh = new PDO(&#39;mysql:host=127.0.0.1:3306;dbname=mysql_safe&#39;, &#39;root&#39;, &#39;518666&#39;); 
 
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);    
$dbh->exec(&#39;set names utf8&#39;);   

$title    = "我们的爱情";
$content  = &#39;你是/谁啊，大几\都"老梁"做做&>women<a>没&#39; . " 测试打印号&#39;我是单引号&#39;哈哈";
$user_id  = 174742;
$add_time = date("Y-m-d H:i:s");

// $insert_sql = "insert into post_tbl (title, content, user_id, add_time) values (:x_title, :x_content, :x_user_id, :x_add_time)";

// $stmt = $dbh->prepare($insert_sql); 
// $stmt->execute(array(&#39;x_title&#39;=>$title,&#39;:x_content&#39;=> $content, &#39;:x_user_id&#39; => $user_id, &#39;:x_add_time&#39; => $add_time));    

// 查询
$user_id  = "17474#";
// $password = "&#39;&#39;or &#39;1=1&#39;";
 $password = 123456;
$sql = &#39;select * from post_tbl where user_id = :x_user_id and password = :x_password&#39;;
$stmt = $dbh->prepare($sql);    
$stmt->execute(array(&#39;:x_user_id&#39;=>$user_id, &#39;:x_password&#39; => $password));    

$rows = array();
while($row = $stmt->fetch(PDO::FETCH_ASSOC))
{   
   $rows[] = $row;    
    
}   
print_r($rows);    

// echo $dbh->lastinsertid();

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

MySQL: Essential Skills for Beginners to MasterApr 18, 2025 am 12:24 AM

MySQL is suitable for beginners to learn database skills. 1. Install MySQL server and client tools. 2. Understand basic SQL queries, such as SELECT. 3. Master data operations: create tables, insert, update, and delete data. 4. Learn advanced skills: subquery and window functions. 5. Debugging and optimization: Check syntax, use indexes, avoid SELECT*, and use LIMIT.

MySQL: Structured Data and Relational DatabasesApr 18, 2025 am 12:22 AM

MySQL efficiently manages structured data through table structure and SQL query, and implements inter-table relationships through foreign keys. 1. Define the data format and type when creating a table. 2. Use foreign keys to establish relationships between tables. 3. Improve performance through indexing and query optimization. 4. Regularly backup and monitor databases to ensure data security and performance optimization.

MySQL: Key Features and Capabilities ExplainedApr 18, 2025 am 12:17 AM

MySQL is an open source relational database management system that is widely used in Web development. Its key features include: 1. Supports multiple storage engines, such as InnoDB and MyISAM, suitable for different scenarios; 2. Provides master-slave replication functions to facilitate load balancing and data backup; 3. Improve query efficiency through query optimization and index use.

The Purpose of SQL: Interacting with MySQL DatabasesApr 18, 2025 am 12:12 AM

SQL is used to interact with MySQL database to realize data addition, deletion, modification, inspection and database design. 1) SQL performs data operations through SELECT, INSERT, UPDATE, DELETE statements; 2) Use CREATE, ALTER, DROP statements for database design and management; 3) Complex queries and data analysis are implemented through SQL to improve business decision-making efficiency.

MySQL for Beginners: Getting Started with Database ManagementApr 18, 2025 am 12:10 AM

The basic operations of MySQL include creating databases, tables, and using SQL to perform CRUD operations on data. 1. Create a database: CREATEDATABASEmy_first_db; 2. Create a table: CREATETABLEbooks(idINTAUTO_INCREMENTPRIMARYKEY, titleVARCHAR(100)NOTNULL, authorVARCHAR(100)NOTNULL, published_yearINT); 3. Insert data: INSERTINTObooks(title, author, published_year)VA

MySQL's Role: Databases in Web ApplicationsApr 17, 2025 am 12:23 AM

The main role of MySQL in web applications is to store and manage data. 1.MySQL efficiently processes user information, product catalogs, transaction records and other data. 2. Through SQL query, developers can extract information from the database to generate dynamic content. 3.MySQL works based on the client-server model to ensure acceptable query speed.

MySQL: Building Your First DatabaseApr 17, 2025 am 12:22 AM

The steps to build a MySQL database include: 1. Create a database and table, 2. Insert data, and 3. Conduct queries. First, use the CREATEDATABASE and CREATETABLE statements to create the database and table, then use the INSERTINTO statement to insert the data, and finally use the SELECT statement to query the data.

MySQL: A Beginner-Friendly Approach to Data StorageApr 17, 2025 am 12:21 AM

MySQL is suitable for beginners because it is easy to use and powerful. 1.MySQL is a relational database, and uses SQL for CRUD operations. 2. It is simple to install and requires the root user password to be configured. 3. Use INSERT, UPDATE, DELETE, and SELECT to perform data operations. 4. ORDERBY, WHERE and JOIN can be used for complex queries. 5. Debugging requires checking the syntax and use EXPLAIN to analyze the query. 6. Optimization suggestions include using indexes, choosing the right data type and good programming habits.

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

3 weeks agoByDDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

2 weeks agoByDDD

Will R.E.P.O. Have Crossplay?

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

Hot Topics

Where is the login entrance for gmail email?

7546

CakePHP Tutorial

1382

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers