dongwen7283 2015-01-06 12:53
浏览 178
已采纳

SQL注入不起作用

I was checking my webpages for SQL Injection, when the main pages didn't responded to it, I created a test script:

<?
$a = $_POST["a"];
$username="...";
$password="...";
$database="...";

mysql_connect ('...',$username,$password);
mysql_select_db($database) or die( "Unable to select database");

$ress=mysql_query("SELECT username FROM userinfo WHERE id='$a'");
$row = mysql_fetch_array($ress);

print $row[0];
?>
<form name="form" action="hackMe.php" method="POST">
   <input id="a" name="a" size="150">
   <input name="Submit" type="submit" value="Submit">
</form>

But when I try this line:

'; UPDATE userinfo SET email = 'steve@unixwiz.net' WHERE email = 'testusr@gmail.com

I just get an error, and no change in the database.

Any ideas why?

  • 写回答

1条回答 默认 最新

  • douzhuochao4027 2015-01-06 13:20
    关注

    Quote from the manual:

    mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified

    Highlighting by me. mysql_query() only allows a single query query per call, the second query behind the ; is ignored.

    To test SQL injection you have to use a query that doesn't need a second one to do harm.

    Edit:

    It IS possible to allow multiple queries, but you have to explicitly state this in the mysql_connect() call.

    mysql_connect($host, $username, $password, false, 65536);
// defined by MySQL:
// #define CLIENT_MULTI_STATEMENTS 65536 /* Enable/disable multi-stmt support */
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 下图接收小电路,谁知道原理
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度