dongwen7283 2015-01-06 04:53
浏览 178
已采纳

SQL注入不起作用

I was checking my webpages for SQL Injection, when the main pages didn't responded to it, I created a test script:

<?
$a = $_POST["a"];
$username="...";
$password="...";
$database="...";

mysql_connect ('...',$username,$password);
mysql_select_db($database) or die( "Unable to select database");

$ress=mysql_query("SELECT username FROM userinfo WHERE id='$a'");
$row = mysql_fetch_array($ress);

print $row[0];
?>
<form name="form" action="hackMe.php" method="POST">
   <input id="a" name="a" size="150">
   <input name="Submit" type="submit" value="Submit">
</form>

But when I try this line:

'; UPDATE userinfo SET email = 'steve@unixwiz.net' WHERE email = 'testusr@gmail.com

I just get an error, and no change in the database.

Any ideas why?

  • 写回答

1条回答 默认 最新

  • douzhuochao4027 2015-01-06 05:20
    关注

    Quote from the manual:

    mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified

    Highlighting by me. mysql_query() only allows a single query query per call, the second query behind the ; is ignored.

    To test SQL injection you have to use a query that doesn't need a second one to do harm.

    Edit:

    It IS possible to allow multiple queries, but you have to explicitly state this in the mysql_connect() call.

    mysql_connect($host, $username, $password, false, 65536);
    // defined by MySQL:
    // #define CLIENT_MULTI_STATEMENTS 65536 /* Enable/disable multi-stmt support */
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
编辑
预览

报告相同问题?

悬赏问题

  • ¥15 DevEco studio开发工具 真机联调找不到手机设备
  • ¥15 请教前后端分离的问题
  • ¥100 冷钱包突然失效,急寻解决方案
  • ¥15 下载honeyd时报错 configure: error: you need to instal a more recent version of libdnet
  • ¥15 距离软磁铁一定距离的磁感应强度大小怎么求
  • ¥15 霍尔传感器hmc5883l的xyz轴输出和该点的磁感应强度大小的关系是什么
  • ¥15 vscode开发micropython,import模块出现异常
  • ¥20 Excel数据自动录入表单并提交
  • ¥30 silcavo仿真,30分钟,只需要代码
  • ¥15 FastReport 怎么实现打印后马上关闭打印预览窗口