demoUserID = getrequestString("userID"); demoSQL = "SELECT * FROM users WHERE id =" + demoUserID;
236893238 OR 1=1
它将被拼接成下面的 SQL 语句:SELECT * FROM employee WHERE id = 236893238 OR 1=1;
这条 SQL 代码是有效的,将从 employee 表中返回所有符合条件的记录。1=1
始终成立,这条 SQL 语句将返回 employee 表中的所有记录,这意味着,所有的员工信息都将被泄露。SELECT * FROM employee WHERE (username="" or 1=1) AND (password="" or 1=1);
;
分隔的两条或者多条 SQL 语句。下面给出的 SQL 语句将返回 employee 表的所有行,然后删除 employee_add 表:
SELECT * FROM employee; DROP TABLE employee_add;
_
和连字符-
:
if (preg_match("/^[\x{4e00}-\x{9fa5}0-9A-Za-z_\-]{2,20}$/u", $_POST['username'], $matches)) { $result = mysql_query("SELECT * FROM user WHERE name = $matches[0]"); } else { echo "Tips from task.lmcjl.com: User name not accepted!"; }
\
),比如'
和"
,请看下面的例子:
// 去除斜杠 if (get_magic_quotes_gpc()) { $name = stripslashes($name); } // 对特殊字符进行转义 $name = mysql_real_escape_string($name); mysql_query("SELECT * FROM user WHERE name='{$name}'");
%
和_
字符进行转义。addcslashes() 允许用户指定要转义的字符,请看下面的代码:
$sub = addcslashes(mysql_real_escape_string("%str"), "%_"); // 转换以后的 $sub == \%str\_ mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
本文链接:http://task.lmcjl.com/news/16152.html