For more information about mysql statement injection, see $ SQL & nbsp ;=& nbsp; "select & nbsp; * & nbsp; from & nbsp ;". $ site-& gt; table (& nbsp; "ad" & nbsp ;). "& nbsp; where & nbsp; your age_id = ". $ s [0]. "& nbsp; and & nbsp; cate mysql statement injection
$ SQL = "select * from ". $ site-> table ("ad "). "where your age_id = ". $ s [0]. "and category = '". $ s [1]. "'and type = 0 and state = 0 order by sort_order desc ";
Mysql_query ($ SQL );
$ S is a parameter passed in through the url. I would like to ask $ s [0] what values will cause the injection vulnerability or does this statement fail to be injected? Mysql database injection database security
------ Solution --------------------
It is possible to enter anything.
But I can't think of any harm.
------ Solution --------------------
$ S [0] = '= 1 and sleep (1000000 )'
Multiple executions may cause the system to generate many sleep processes, resulting in DOS on the server...
And so on.
------ Solution --------------------
We recommend that you use the framework. if you write your own programs, you may not consider them for weeks. The framework is different and some methods are automatically encapsulated, for example, anti-SQL injection.
------ Solution --------------------
$ S [0] = $ s [0]. "--"; // add comments to collect more information
$ S [0] = $ s [0]. "and 0 <> (select count (*) from admin )";
You know if you have the admin table.
------ Solution --------------------
Where between age_id = "" or "" = "" and
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
