SQL Injection Username and Password

This question already has an answer here:

  • How does the SQL injection from the “Bobby Tables” XKCD comic work? 12 answers

  • your problem is located in the select statement:

    SELECT * FROM users WHERE username='$username' AND password='$password'
    

    Imagine a user providing the name ' OR 1=1 LIMIT 1 -- (note the space after -- ) It would always exactly return ONE result row - so the login is valid, cause the query executed would be:

    SELECT * FROM users WHERE username='' OR 1=1 LIMIT 1 -- ' AND password='$password' 
    

    mysql will ignore the comment, so the query is:

    SELECT * FROM users WHERE username='' OR 1=1 LIMIT 1
    

    You should escape the values before using them:

    $username = mysqli_real_escape_string($link, $_POST["username"]);
    

    See this fiddle as example: http://sqlfiddle.com/#!2/fd8be/1 (One resultrow -> Your logic would say: "Logged in!" - without even knowing any username and/or password.)

    链接地址: http://www.djcxy.com/p/93810.html

    上一篇: SqlParameter对象C#

    下一篇: SQL注入用户名和密码