Community Learn Tools Library Leisure
search
English
Home > Backend Development > PHP Tutorial > body text

请教sql注入问题

WBOY
Release: 2016-06-23 13:57:49
Original
1077 people have browsed it

大家好 前几天做了个网站  考虑到我没有做sql防注入  这几天看了一些案列 用在我自己的网站上 却没反应   现在请教下 我这样写 如何构建sql代码才能被注入呢?
主要语句就是这个
include "../admin/connss.php";
$id=$_GET[id];
$sql=mysql_query("select * from news where id='$id'");
$row = mysql_fetch_array($sql);
?>

其他的都是显示的 没什么用 我感觉我没做过滤 正常这种应该被注入啊  但是我试了一些方法 没什么用 请教下
谢谢


回复讨论(解决方案)

addslashes或者mysql_real_escape_string都可以转义字段 防止注入

addslashes或者mysql_real_escape_string都可以转义字段 防止注入



请问,如果我用mysql数据库,只需mysql_real_escape_string,不进行其他操作就可以防止mysql注入吗?

用PDO连接吧,mysql_real_escape_string在新版本的PHP已经被摒弃了,addslashes根本不可靠。

addslashes或者mysql_real_escape_string都可以转义字段 防止注入


我的意思是 对于这段代码 如何构建一个sql注入? 谢谢 

-- 你的程序设计是这个样子的: -- $id=“100”select ....from... where ID = '100' ; -- SQL注入的结果是下面的样子:-- $id = "100' or '1' ='1"select .... from .... where ID ='100' or '1' ='1'
Copy after login
Copy after login
Copy after login

-- 你的程序设计是这个样子的: -- $id=“100”select ....from... where ID = '100' ; -- SQL注入的结果是下面的样子:-- $id = "100' or '1' ='1"select .... from .... where ID ='100' or '1' ='1'
Copy after login
Copy after login
Copy after login

但是发现实际并不能注入啊? 什么愿意呢 


-- 你的程序设计是这个样子的: -- $id=“100”select ....from... where ID = '100' ; -- SQL注入的结果是下面的样子:-- $id = "100' or '1' ='1"select .... from .... where ID ='100' or '1' ='1'
Copy after login
Copy after login
Copy after login

但是发现实际并不能注入啊? 什么愿意呢

自行去掉双引号。

include "../admin/connss.php";
$id=INTVAL($_GET[id]);
$sql=mysql_query("select * from news where id='$id'");
$row = mysql_fetch_array($sql);
?>

在后面加一个0

Related labels:
sql injection
source:php.cn
Previous article:求助: 加了个<就无法匹配到结果了 Next article:如何用SELECT下拉菜单和TEXT文本框从选择数据库搜索数据
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
Unable to get input element from website So I'm trying to get an input element from Twitter, but when I run it it keeps giving me a...
From 2024-04-06 18:59:57
0
1
442
Scatterplot points do not maintain values ​​when zooming in d3.js This is my first time using d3.js, so please bear with me. I implemented it as pure JavaSc...
From 2024-04-06 18:16:26
0
1
403
Get the total return value of the input field method I'm trying to find the total value entered by the user. Get an aggregate that multiplies a...
From 2024-04-06 18:19:37
0
1
380
Why does omitting 0ms sleep break my css transitions? I'm trying to implement a FLIP animation to see if I understand it correctly. In this code...
From 2024-04-06 16:29:50
0
2
490
Record query under partial value conditions - SQL skill sharing I have a table called zipcode which has a column called code. The Code column contains the...
From 2024-04-06 16:01:26
0
1
395
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template