mysql数据库表user结构如图,php版本5.4.31
$uid="1'; select * FROM user;";
直接用:
$result=mysql_query("select * from user where uid='$uid' ");
mysql_error()显示
`You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'select * FROM user;'' at line 1`
和用pdo查询:
$sql="select * from user where uid='$uid' ";
$res=$pdo->query($sql);
显示$res是空
请问大神我构造的mysql注入语句是不是有错...
我主要目的是想测试不同的mysql注入语句,pdo_mysql的防护性
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
$uid="1'; select * FROM user;";This kind of statement actually has nothing to do with your test, but causes trouble. You can test directlymysql_query("select * from user where uid=1; select * from user"). I haven't looked into this stuff in depth, but your two tests are equivalent and will both be injected.The simplest example of an injection problem is
$username = "It's test", which then becomes"select * from user where username='It's test"when executed, causing a syntax error. PDO and others prevent such problems through preprocessing. For example,$pdo->query("select * from user where username=?", array("It's test"));will be appropriately redirected to prevent injection. However, if you use$pdo->query($sql)directly in your example, the protection mechanism will not generate any Effective.That's the general idea, understand it yourself.
I’ve been very busy with work recently, so I had to ignore most of the invitations. I occasionally answered a few and didn’t have time to say much, so I could only say sorry.
Mysql_query, the spliced SQL statement is illegal
Find a way to close the single ' and change it to the following code:
PDO will automatically escape the following statement of the query, so it is empty.
I discovered the problem myself:
Use directly
$uid= "888' or '2=2";The contents of the entire user table were exposed