Don't talk about it. Come on!
1. http://www.bkjia.com/Article/200806/27934.html
2. http://www.bkjia.com/Article/201203/125690.html
1. What is SQL Injection? view it with the keyword wikipedia.
2. Local test code:
If the form is submitted correctly, print hello, "username"
Otherwise, print "404 not found !"
- <SPAN style = "FONT-SIZE: 18px"> <? Php
- Require 'config. php ';
- $ DBConnection = mysql_connect ("$ dbhost", "$ dbuser", "$ dbpwd ");
- Mysql_select_db ("$ dbdatabase ");
- If (isset ($ _ GET ['submit ']) & $ _ GET ['submit']) {
- $ SQL = "select * from test where name = '". $ _ GET ['username']. "'and password = '". $ _ GET ['Password']. "'";
- // Echo $ SQL; exit;
- $ Result = mysql_query ($ SQL, $ DBConnection );
- $ Num = mysql_num_rows ($ result );
- If ($ num> = 1)
- {
- Echo "hello,". $ _ GET ['username'];
- }
- Else {
- Echo "404 not found ";
- }
- }
- ?>
- <Form action = "login. php" method = "GET">
- <Table>
- <Tr>
- <Td> username </td>
- <Td> <input type = "textbox" name = "username"/> </td>
- <Td> password </td>
- <Td> <input type = "textbox" name = "password"> </td>
- <Td> submit </td>
- <Td> <input type = "submit" name = "submit"> </td>
- </Tr>
- </Table>
- </Form> </SPAN>
<?php require 'config.php';$DBConnection = mysql_connect ( "$dbhost", "$dbuser", "$dbpwd" );mysql_select_db ( "$dbdatabase" ); if(isset($_GET['submit']) && $_GET['submit']){ $sql="select * from test where name='".$_GET['username']."'and password='".$_GET['password']."'";//echo $sql;exit;$result=mysql_query($sql,$DBConnection);$num=mysql_num_rows($result);if($num>=1){echo "hello,".$_GET['username'];}else {echo"404 not found";}}?><form action="login.php" method="GET"><table><tr><td>username</td><td><input type="textbox" name="username"/></td><td>password</td><td><input type="textbox" name="password"></td><td>submit</td><td><input type="submit" name="submit"></td></tr></table></form>
3. Browser Interface display:
4. SQL injection:
5. Principle-why does the user name display hello if it is incorrect?
I can echo it:
$ SQL = "select * from test where name = '". $ _ GET ['username']. "'and password = '". $ _ GET ['Password']. "'";
- Echo $ SQL; exit; </SPAN>
$sql="select * from test where name='".$_GET['username']."'and password='".$_GET['password']."'";echo $sql;exit;
Display:
Query in my mysql database:
You can see that the information can be found, because in SQL statements, the first half of the single quotes are closed, and the last half of the single quotes are commented out, there is a permanent condition "1 = 1" in the middle, which leads to the successful login of any character.
6. Summary:
1) In fact, this SQL injection process is very simple. The difficulty lies in the flexibility of submitting SQL Injection statements. The use of single quotes is critical. In addition, it is worth a try to debug the echo printing function ~~
2) It is dangerous to submit a form in the GET method, so use the POST method!
3) Prevent SQL injection: it can be seen that SQL injection is an illegal character submitted by the user (for example, the single quotation mark 'In this article, the Comment Number of the SQL statement --, And the backslash ), you must use the escape: htmlspecialchars function, and mysql_read_escape_string function.
4) is the JS verification form required in the backend, such as JSP and PHP?
--- Yes. JS can be disabled due to friebug.