mysql数据库表user结构如图,php版本5.4.31
$uid="1'; select * FROM user;";
直接用:
$result=mysql_query("select * from user where uid='$uid' ");
mysql_error()显示
`You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'select * FROM user;'' at line 1`
和用pdo查询:
$sql="select * from user where uid='$uid' ";
$res=$pdo->query($sql);
显示$res是空
请问大神我构造的mysql注入语句是不是有错...
我主要目的是想测试不同的mysql注入语句,pdo_mysql的防护性
大家讲道理2017-04-17 15:30:49
$uid="1'; select * FROM user;";This kind of statement actually has nothing to do with your test, but causes trouble. You can test directly mysql_query("select * from user where uid=1; select * from user"). I haven't looked into this stuff in depth, but your two tests are equivalent and will both be injected.
The simplest example of an injection problem is $username = "It's test", which then becomes "select * from user where username='It's test" when executed, causing a syntax error. PDO and others prevent such problems through preprocessing. For example, $pdo->query("select * from user where username=?", array("It's test")); will be appropriately redirected to prevent injection. However, if you use $pdo->query($sql) directly in your example, the protection mechanism will not generate any Effective.
That's the general idea, understand it yourself.
I’ve been very busy with work recently, so I had to ignore most of the invitations. I occasionally answered a few and didn’t have time to say much, so I could only say sorry.
迷茫2017-04-17 15:30:49
Mysql_query, the spliced SQL statement is illegal
select * from user where uid='1'; select * FROM user;'Find a way to close the single ' and change it to the following code:
$uid="1'; select * FROM user where uid='";PDO will automatically escape the following statement of the query, so it is empty.
select * from user where uid='1\'; select * FROM user;'迷茫2017-04-17 15:30:49
I discovered the problem myself:
Use directly$uid= "888' or '2=2";
The contents of the entire user table were exposed