Can't see how my code can be SQL injected but apparently it can?

 

This question already has an answer here:

  • Why shouldn't I use mysql_* functions in PHP? 14 answers

    • (My implementation of MySQL uses # to denote comments, not // ).

    Here is how a user could get all of your products, active or not: 

    &scatid=1059' UNION ALL SELECT * from products #

    Or an even easier way: 

    &scatid=1059' OR 1=1 #

    For each example, imagine what the query would then look like: 

    SELECT * FROM products
WHERE sub_category='1059' OR 1=1 #
AND active = 'Y' ORDER BY id DESC

    The comment device prevents the rest of the query getting in the way, so we essentially have: 

    SELECT * FROM products
WHERE sub_category='1059' OR 1=1

    The 1=1 will always be true, hence all filtering has been subverted. This is of particular concern where security is involved, eg user login systems.

    However, you have been trying this: 

    &scatid=1059' OR DROP TABLE sub_category //

    That will result in a SELECT statement containing a DROP statement, which is not valid SQL. This is why your injection attempt did not work - the database would have returned an error, but your app did not report it.

    链接地址: http://www.djcxy.com/p/16774.html

    上一篇: 如何使用内置的SQL注入保护

    下一篇: 无法看到我的代码如何被SQL注入,但显然它可以?