这个 mysql 查询是如何工作的?
Posted
技术标签:
【中文标题】这个 mysql 查询是如何工作的?【英文标题】:how does this mysql query work? 【发布时间】:2017-05-31 02:50:08 【问题描述】:我的php代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 SqL Injection master Course by Hitesh Choudhary</title>
<link rel="stylesheet" href="../index.html_files/freemind2html.css" type="text/css"/>
</head>
<body>
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">
<h1><span class="style1">Welcome </span><font color="#FF0000">to SQL injection Master Course </font></h1>
<h1><span class="style2">Lesson-1</span></h1>
<h1><span class="style4">Hint : Error based string</span> <br>
<font size="3" color="#666666">
<?php
//including the mysql connect parameters.
include("../sql-connections/sql-connect.php");
// take the variables
if(isset($_GET['id']))
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
//$fp=fopen('result.txt','a');
//fwrite($fp,'ID:'.$id."\n");
//fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
echo '<font color= "#0000ff">';
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
else
echo '<font color= "#900">';
print_r(mysql_error());
echo "</font>";
else echo "Please input the ID as parameter with numeric value";
?>
</font>
</h1>
</div>
<img border="0" src="img1.gif" >
<div class="botton_fix">For more please visit : <a href="http://www.hiteshchoudhary.com" target="_blank">www.hiteshchoudhary.com</a></div>
</br></br></br>
<center>
</center>
</body>
</html>
我正在尝试使用以下查询 SQL 注入此页面
localhost/example/Less-1/index.php?id=1 order by 100
结果是用户名:some 和密码:some
localhost/example/Less-1/index.php?id=1
结果是用户名:some 和密码:some
我也检查了$id=2,3,...等等,它工作正常
为什么会这样?我应该得到一个错误吧?
【问题讨论】:
我首先建议您不要使用已弃用的 API mysql_*,而是使用 myslqi_* 甚至更好的 PDO。 mysql_* API 已在 PHP v7 中移除 我想你错过了单引号。尝试 ocalhost/example/Less-1/index.php?id=1';删除表用户; # 【参考方案1】:在这种情况下,数据库查询不会抛出任何错误。如果 id 不等于 session id,你必须抛出异常
if ($_GET['id'] != $_SESSION['id'])
throw \Excetption("You don't have access.");
【讨论】:
【参考方案2】:我不知道,你将如何连接你的数据库并使用连接..所以我已经在代码中编写了数据库连接..如果你有任何问题,请尝试并告诉我。 :
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 SqL Injection master Course by Hitesh Choudhary</title>
<link rel="stylesheet" href="../index.html_files/freemind2html.css" type="text/css"/>
</head>
<body>
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">
<h1><span class="style1">Welcome </span><font color="#FF0000">to SQL injection Master Course </font></h1>
<h1><span class="style2">Lesson-1</span></h1>
<h1><span class="style4">Hint : Error based string</span> <br>
<font size="3" color="#666666">
<?php
// include("../sql-connections/sql-connect.php");
if (!$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password'))
echo 'Could not connect to mysql';
exit;
if (!mysql_select_db('mysql_dbname', $link))
echo 'Could not select database';
exit;
$sql = "SELECT * FROM users WHERE id='".$id."' LIMIT 0,1";
$result = mysql_query($sql, $link);
if (!$result)
echo "DB Error, could not query the database\n";
echo 'MySQL Error: ' . mysql_error();
exit;
while ($row = mysql_fetch_assoc($result))
echo '<font color= "#0000ff">';
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>"
mysql_free_result($result);
?>
</font>
</h1>
</div>
<img border="0" src="img1.gif" >
<div class="botton_fix">For more please visit : <a href="http://www.hiteshchoudhary.com" target="_blank">www.hiteshchoudhary.com</a></div>
</br></br></br>
<center>
</center>
</body>
</html>
【讨论】:
以上是关于这个 mysql 查询是如何工作的?的主要内容,如果未能解决你的问题,请参考以下文章