Query about SQL Injection in webpages
This question already has an answer here:
You're apparently substituting the parameters into your SQL string without escaping them. The code presumably looks something like:
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
So after your inputs are substituted, the result is:
SELECT * FROM users WHERE username = 'abs' --' AND password = ''
The quote in the username you entered is terminating the string. Then the --
starts a comment, so the rest of the query is ignored. So you've transformed the query to just:
SELECT * FROM users WHERE username = 'abs'
and it no longer checks the password.
链接地址: http://www.djcxy.com/p/93826.html上一篇: 在T中选择一个表变量
下一篇: 在网页中查询SQL注入