demoUserID = getrequestString("userID");
demoSQL = "SELECT * FROM users WHERE id =" + demoUserID;
236893238 OR 1=1
它将被拼接成下面的 SQL 语句:SELECT * FROM employee WHERE id = 236893238 OR 1=1;
这条 SQL 代码是有效的,将从 employee 表中返回所有符合条件的记录。1=1始终成立,这条 SQL 语句将返回 employee 表中的所有记录,这意味着,所有的员工信息都将被泄露。SELECT * FROM employee WHERE (username="" or 1=1) AND (password="" or 1=1);
;分隔的两条或者多条 SQL 语句。下面给出的 SQL 语句将返回 employee 表的所有行,然后删除 employee_add 表:
SELECT * FROM employee; DROP TABLE employee_add;
_和连字符-:
if (preg_match("/^[\x{4e00}-\x{9fa5}0-9A-Za-z_\-]{2,20}$/u", $_POST['username'], $matches)) {
$result = mysql_query("SELECT * FROM user WHERE name = $matches[0]");
} else {
echo "Tips from task.lmcjl.com: User name not accepted!";
}
\),比如'和",请看下面的例子:
// 去除斜杠
if (get_magic_quotes_gpc()) {
$name = stripslashes($name);
}
// 对特殊字符进行转义
$name = mysql_real_escape_string($name);
mysql_query("SELECT * FROM user WHERE name='{$name}'");
%和_字符进行转义。addcslashes() 允许用户指定要转义的字符,请看下面的代码:
$sub = addcslashes(mysql_real_escape_string("%str"), "%_");
// 转换以后的 $sub == \%str\_
mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
本文链接:http://task.lmcjl.com/news/16152.html