环境:mysql、PHP
数据库:
php代码
<html>
<head>
<title>
SQLInjection
</title>
</head>
<body>
<center>
<div>
<form action="sqlIN.php" method="get">
name: <input type="text" name="name">
<br><br>
<input type="submit" value="Search People">
</form>
</div>
</center>
</body>
</html>
<?php
$ip='localhost';
$username='root';
$password='123456';
$database = 'yksData';
$connect = mysqli_connect($ip,$username,$password,$database);//创建连接
if (!$connect){
echo "fail to link";
}else{
echo 'success!!'."<br/>";
}
//数据库链接
//构造sql语句
$sql= "select name from people where name = '".$_GET['name']."';";
echo $sql."<br/>";
$result = mysqli_query($connect,$sql);
if ($result){
while ($row=mysqli_fetch_assoc($result)){
echo $row['name']."<br/>";
}
}
mysqli_free_result($result);//释放查询
mysqli_close($connect);//关闭连接
正常查询
万能句型注入
原理:
select name from people where name = '' or 1=1 -'';
-将原有的引号闭合,注释掉后面的引号。
-通过 1=1 恒成立的结果 通过 or 或计算,不论是哪一行数据where后面的判断为true
-所以全部查出