mysql_query注入-替换返回的字段

Question

im trying to learn and understand mysql inject, i have created demo case.

SELECT ret_variable FROM data WHERE name = '".$name."' AND age = ".$age;

then if(ret_variable == 2){something} but query originally returns 1 and i need to force it to output 2

How to modify $age variable to set custom output field for ret_variable (only in response) ? I have tried few ways with OR but didn't wroked.

Answer 1

I see no practical application other than learning. I assume since you know the code , you have permission to test this out. So let's give it a go!

You can only return a 2 for the ret_variable when there is a row in the database with a value of 2 as the ret_variable and you know the name value of that row. You can for instance enter that name and the following to bypass the correct value for the age.

age AND ret_value = 2

That would create the following query:

SELECT ret_variable FROM data WHERE name = 'John' AND age = age AND ret_value = 2;

The principle of mysql injection is this sort of manipulation of the query. But you can not force a value which is returned unless there is a row in the database with this value for ret_variable and you can somehow select this row.

When you don't know the name (or there is no record of your known name with a ret_variable of 2) it is not possible.

Since the AND operator has precedence over the OR operator you cannot manipulate the query to give a 2 as ret_variable. This is because the name = '?' part will always fail.