The principle of SQL injection attack

The principle of sql injection attack

Malicious users insert SQL statements into the request content during the process of submitting query requests, and at the same time the program itself Excessive trust in user input content without filtering SQL statements inserted by malicious users, resulting in SQL statements being directly executed by the server.

SQL injection attack classification

(1) Different classifications of injection points

Injection of numeric type Injection of string type

(2) Different classifications of submission methods

GET injection POST injection COOKIE injection HTTP injection

(3) Different classifications of methods of obtaining information

Boolean-based blind injection based on Time blind injection based on error reporting

SQL injection attack case:

1. View the injection case of the article:

View the injection case of a certain article If the url parameter is: ?id=1

, then by injecting the command: ?id=1 or 1=1, you can list all the articles in the entire data table.

If the viewing user is accessed through user_id, such as:? uid=1

By injecting the command:?id=1 or 1=1, you can display all the records of the entire user table

The SQL command is as follows:

The SQL command that passes ?id=1 is: select * from article where id=1. This statement queries 1 structure

The SQL command that passes ?id=1 and 1=1 is: select * from article where id=1 or 1=1, this statement queries the records of the entire table

2. User login injection case:

The login form has the user_name field, and the query statement is: select * from users where nickname='{user_name}'

You can fill in the user_name text box: (' or 1='1), so that the injected SQL command can be constructed: select * from users where user_name='' or 1='1', so it is easy to enter the system.

3. SQL injection table guessing:

Fill in the username field on the login page: (' or 1=(select count(0) from t_porg_document) or 1='1), The injected SQL command can be constructed: select * from users where user_name='' or 1=(select count(0) from recharge) or 1='1'

This way you can guess whether the recharge table exists. If it exists, the statement will be executed normally, otherwise an error will be reported.

After guessing the table name, you can add, delete, modify and check the data table, such as:

In the user name field of the login page, fill in: ('; delete from users), Dangerous SQL commands can be constructed: select * from users where user_name=''; delete from users;

By adding semicolons, arbitrary additions, deletions, modifications, and query SQL statements can be constructed, and the entire database can be manipulated by the attacker at will. Controlled.

PHP Chinese website has a large number of free SQL tutorials, everyone is welcome to learn!

The above is the detailed content of The principle of SQL injection attack. For more information, please follow other related articles on the PHP Chinese website!