douruduan8812 2018-06-18 08:05
浏览 34
已采纳

有人在sql注入时解释这一步

while am trying to understand sqlinjection i didn't get this part,first this is my code 

<?php
include "../chat/db.php";
if (isset($_GET['id'])) {
    $id = $_GET['id'];
    $query = "select user_n,user_id from users where user_id<$id union select 1,2 ";
    $sql = mysqli_query($con, $query);
    if ($sql) {
        if (mysqli_num_rows($sql) > 0) {
            while ($result = mysqli_fetch_assoc($sql))
                echo "user name: " . $result["user_n"] . "of the id= " . $result["user_id"] . "</br>";

        } else {
            echo "there's no results";

        }

    }

} else {
    echo "error";
}
$tt = rand(0, 30);
?>
</br>
<a href=<?php echo "sql.php?id=" . $tt; ?>> <?php echo $tt; ?>  </a>

results are fine as u see in this pic results

what i dont understand is this union select 1,2 result

{user name: 1of the id= 2} shows up because

union select 1,2

my question is why it shows up like that please if can some one explain this step of "select 1,2" thank you and sry if something not clear or i explain my point badly.

  • 写回答

1条回答 默认 最新

  • dsxmwin86342 2018-06-18 14:38
    关注

    Any request can manipulate the query through SQL injection.

    For example, I could make a request of your page:

    http://example.com/chat/index.php?id=0+UNION+SELECT+TABLE_SCHEMA,TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES

    Basically, anyone can inject any SQL query as long as that query selects two expressions. Just add a number to finish the id < $id expression, but the value of $id can go on with anything else the request passed to the PHP code.

    I don't know why the query includes union select 1,2. I suppose this is an example coding exercise in a class teaching you SQL injection risks, and the union select 1,2 is a way for the instructor to give you a hint that the SQL injection involves UNION.

    You could make this query safer in either of two ways:

    1. Cast the parameter to a number, which removes any non-numeric part:

      $id = (int) $_GET['id'];

    2. Use a query parameter:

      $query = "select user_n,user_id from users where user_id < ? union select 1,2 ";

    See How can I prevent SQL injection in PHP? for more details on query parameters.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 yolov8边框坐标
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂