如图,mysql使用以下查询语句时,貌似会查出“所有数据”:select * from member where username='kobe'+'';
实际上,直接查这个表的时候,还有其他数据,但通过这种“特殊查询”没有查到
这是因为在mysql中,字符串与数值的运算,首先会尝试将字符串转化为数值,再进行运算。但如果字符串的前面并不是以数字开头,则会直接转化为0,上述特殊查询语句相当于select * from member where username=0;
而'321'字符串转为数值是321,并不等于0,'3210'同理,所以通过这种“特殊方式”查询不到
当然还有一种更特殊的情况,查看这条查询语句:select * from member where username='300kobe'+21;
发现能够查到数据,因此我们可以推测,mysql中字符串转数值类型,是从第一个不为数值的字符处开始截断,下面尝试这条语句:select * from member where username='250ko123be'+'50abcd'+20+'1kobe999';
成功查到数据
更通俗的验证:
select * from member where username='kobe' and 0='';
select * from member where username='kobe' and ''+''=0;
select * from member where username='kobe' and '123'=0;
再插入两个数据(321abc123、321a123),查查321,发现直接查到了3条数据,这下知道为什么大部分注册要求账号密码不能以数字开头了
字符串与字符串之间的运算也会先转为数值,再进行运算:
- select * from member where username='321';
- select * from member where username='320' + '1';
- select * from member where username='kobe' and '123aaa' = 123;
- select * from member where username='123aaa' = '123';