A) to find injection points (such as: Login interface, message board, etc.)
b) The user constructs the SQL statement (for example: ' or 1=1#, which is explained later)
c) Send SQL statements to the database management system (DBMS)
D) The DBMS receives the request and interprets the request as a machine code instruction to perform the necessary access operations
e) The DBMS accepts the returned result and processes it back to the user
Because the user constructs a special SQL statement, it must return special results (as long as your SQL statement is flexible enough).
Below, I'll show you a concrete example of SQL injection
Second, the SQL injection example is detailed (the above test assumes that the server does not open MAGIC_QUOTE_GPC)
1) Pre-preparatory work
To demonstrate a SQL injection vulnerability, log in to the background administrator interface
First, create a data table for the experiment:
Copy the Code code as follows:
CreateTable ' users ' (
' id ' int (one) not NULL auto_increment,
' username ' varchar (+) not NULL,
' Password ' varchar (+) not NULL,
' Email ' varchar (+) not NULL,
PRIMARYKEY (' id '),
UniqueKey ' username ' (' username ')
) Engine=myisam auto_increment=3 DEFAULT charset=latin1;
Add a record for testing:
Copy the Code code as follows:
Insertinto Users (Username,password,email)
VALUES (' Marcofly ', MD5 (' Test '), ' marcofly@test.com ');
Next, paste in the source code of the login interface:
Copy the Code code as follows:
SQL Injection Demo
When the user clicks the Submit button, the form data will be submitted to the validate.php page, the validate.php page is used to determine whether the user entered the user name and password have met the requirements (this step is very important, is often the SQL vulnerability)
The code is as follows:
Copy the Code code as follows:
Login Verification
$conn = @mysql_connect ("localhost", ' root ', ') or Die ("Database connection failed! ");;
mysql_select_db ("injection", $conn) or Die ("the database you want to select does not exist");
$name =$_post[' username '];
$pwd =$_post[' password '];
$sql = "SELECT * from Users where username= ' $name ' andpassword= ' $pwd '";
$query =mysql_query ($sql);
$arr =mysql_fetch_array ($query);
if (Is_array ($arr)) {
Header ("Location:manager.php");
}else{
echo "Your username or password was entered incorrectly, please login again!" ";
}
?>
Notice that no, we directly to the user submitted data (user name and password) directly to carry out, and did not implement special character filtering, later you will understand that this is fatal.
Code Analysis: If the user name and password are matched successfully, will jump to the Administrator interface (manager.php), unsuccessful, give a friendly prompt message.
Here, the pre-work is done, and the next step is to start our plays: SQL injection
2) Constructing SQL statements
After you have completed the correct username (marcofly) and password (test), click Submit and you will be returned to our "Welcome administrator" interface.
Because the user name and password that we submitted are synthesized into the SQL query statement after this:
Copy the Code code as follows:
SELECT * from users where username= ' Marcofly ' andpassword=md5 (' test ')
Obviously, the user name and password are the same as we gave earlier, will certainly be able to log on successfully. But what if we enter an incorrect user name or password? Obviously, it's definitely not going to get in. Well, this is normally the case, but for a Web site with a SQL injection vulnerability, you can successfully log in as long as you construct a special "string".
For example: In the User name input box, enter: ' or 1=1#, password random input, this time the synthesized SQL query statement is:
Copy the Code code as follows:
SELECT * from users where username= ' or 1=1# ' and Password=md5 (")
Semantic analysis: "#" is an annotation in MySQL, so that the content after the pound is treated as a comment by MySQL, so it won't be executed, in other words, the following two SQL statements are equivalent:
Copy the Code code as follows:
SELECT * from users where username= ' or 1=1# ' and Password=md5 (")
Equivalent to
Copy the Code code as follows:
Select *from users where Username= ' or 1=1
Because 1=1 is always set up, that is, where clause is all the time true and the SQL is further simplified, it is equivalent to the following SELECT statement:
Copy the Code code as follows:
SELECT * from Users
Yes, the purpose of this SQL statement is to retrieve all the fields in the Users table
Tip: If you don't know the effect of single quotes in ' or 1=1# ', you can echo the SQL statement yourself.
See, a structured SQL statement has such a terrible destructive power, I believe you see this, began to SQL injection has a rational understanding of it ~
Yes, SQL injection is so easy. However, it is not easy to construct flexible SQL statements based on the actual situation. After you have the foundation, you have to go slowly to explore it.
Have you ever thought that if the data submitted through the Background login window is filtered by the administrator for special characters? Then our universal username ' or 1=1# will not be available. But this is not to say that we have no solution, to know that users and databases to deal with the way more than this one.
http://www.bkjia.com/PHPjc/727938.html www.bkjia.com true http://www.bkjia.com/PHPjc/727938.html techarticle when developing a Web site, you need to filter the characters passed from the page for security reasons. In general, users can invoke the contents of the database through the following interfaces: URL address bar, login Realm ...
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
