Query about SQL Injection in webpages

This question already has an answer here:

  • How does the SQL injection from the “Bobby Tables” XKCD comic work? 12 answers

  • You're apparently substituting the parameters into your SQL string without escaping them. The code presumably looks something like:

    $sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
    

    So after your inputs are substituted, the result is:

    SELECT * FROM users WHERE username = 'abs' --' AND password = ''
    

    The quote in the username you entered is terminating the string. Then the -- starts a comment, so the rest of the query is ignored. So you've transformed the query to just:

    SELECT * FROM users WHERE username = 'abs'
    

    and it no longer checks the password.

    链接地址: http://www.djcxy.com/p/93826.html

    上一篇: 在T中选择一个表变量

    下一篇: 在网页中查询SQL注入