[英]Why isn't this test SQL injection returning all rows in the table?
I was trying to follow this example on a local webpage I run using WAMP. 我试图在我使用WAMP运行的本地网页上关注此示例 。 Here is the code
这是代码
<!DOCTYPE html>
<head>
<title>Testing SQL injection</title>
</head>
<body>
<?php
$link = mysql_connect('localhost:3306', 'root', 'St@ck0verflow');
if(!$link)
die('Could not connect: ' . mysql_error());
if(!mysql_select_db('opentarget', $link))//arguments are in revere order compared to mysqli
die('Could not select database');
// a good user's name
$name = "Onetwo";
$query = "SELECT * FROM customers WHERE username = '$name'";
echo "Normal: " . $query . "<br />";
$result = mysql_query($query);
echo "Result: <pre>";
print_r(mysql_fetch_row($result));
echo "</pre><br /><br />";
// user input that uses SQL Injection
$name_bad = "' OR 1'";
// our MySQL query builder, however, not a very safe one
$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
$result = mysql_query($query);
// display what the new query will look like, with injection
echo "Injection: " . $query_bad.'<br />Result: <pre>';
print_r(mysql_fetch_row($result));
echo '</pre>';
echo '<br />Any errors? '.mysql_errno($link) . ": " . mysql_error($link);
?>
</body>
</html>
The first query runs as expected but when I print the result of the second one it is the same as the first. 第一个查询按预期运行,但是当我打印第二个查询的结果时,它与第一个查询相同。 I thought it would print out all the contents of the table?
我以为会打印出表格的所有内容? What exactly does
OR 1
do? OR 1
究竟做了什么?
I tried running the bad query directly in MySQL from the command line, and unless I'm doing something wrong I get the empty set (which is different than the results displayed in PHP). 我尝试从命令行直接在MySQL中运行错误的查询,除非我做错了,否则我得到空集(这与PHP中显示的结果不同)。
$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
$result = mysql_query($query);
See how your SQL string variable is different to the variable you put in the query function? 查看您的SQL字符串变量与您在查询函数中放入的变量的不同之处? You are building
$query_bad
but passing $query
to the mysql_query()
function. 您正在构建
$query_bad
但将$query
传递给mysql_query()
函数。
OR 1 Always evaluates to true because 1=TRUE in PHP. OR 1始终求值为true,因为PHP中的1 = TRUE。
So basically it is trying to show you what happens when someone puts bad text into some piece of data you are using in a query... 所以基本上它试图向您展示当有人将错误文本放入您在查询中使用的某些数据时会发生什么......
Your original query was 你的原始查询是
SELECT * FROM customers WHERE username = '$name'
But that name variable might be set to this phrase: 但该名称变量可能设置为此短语:
' OR 1'
So you just piece those together and will see that instead of returning just the username you want, SQL will return and username that is a) '' [blank], or b) Anything (Because each time 1=TRUE so the row is returned). 因此,您只需将它们拼凑在一起,就会看到而不是只返回您想要的用户名,SQL将返回并且用户名为a)''[空白],或b)任何内容(因为每次1 = TRUE所以返回行)。
EDITED - Added below line to help clarify 编辑 - 添加以下行以帮助澄清
To simplify this better, imagine the sql server looking for data. 为了更好地简化这一点,想象一下sql server寻找数据。 It will look at each row and run that
WHERE
statement. 它将查看每一行并运行该
WHERE
语句。 So it hits row 1 and asks does username = "harry"?
所以它命中第1行并询问
does username = "harry"?
. 。 It will then return the row if this is true, or skip the row if it is false.
如果为真,它将返回该行,如果为假则跳过该行。
Now, Lets say you load $name from an input box on a web form. 现在,让我们说你从Web表单上的输入框加载$ name。 I might enter "Harry" or "Tom" or whatever.
我可能会输入“哈利”或“汤姆”或其他什么。 These are all valid.
这些都是有效的。 But what if I instead enter
Harry' OR TRUE
. 但是,如果我改为进入
Harry' OR TRUE
那该怎么办呢。 On every row, SQL is asking Does username='Harry' OR TRUE
Of course it probably evaluates Username=Harry to false, but the logical expression returns true because the second part is always true. 在每一行上,SQL都会问:
Does username='Harry' OR TRUE
当然它可能会将Username = Harry评估为false,但逻辑表达式返回true,因为第二部分始终为true。
(0 OR 1) is always evaluated to TRUE.
I hope that helps clarify. 我希望这有助于澄清。
Also, check out this link to understand injection attacks better... http://www.unixwiz.net/techtips/sql-injection.html 另外,请查看此链接以更好地了解注入攻击... http://www.unixwiz.net/techtips/sql-injection.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.