stackoom
  简体   繁体   中英

PHP Using % inside mysqli where clause [Havij]

 原文  2015-03-16 20:55:55       php/ sql/ mysqli/ code-injection

Question

So my website was open to SQL injection and exploited using Havij. My question is for that program you can do a placeholder in the format of getVariable=%inject_Here% .

Now I know in a like statement you can use % as a wild card.

Do % signs have any significance inside an equals comparison? Or with that structure is it literally looking for the string "%inject_Here%".

I'm just trying to understand the format to help further prevent injection.

Any information on the subject would be appreciated!

1 answers

solution1
 0  2015-03-17 01:30:35

You can convert a string to it's hexadecimal value. Here is a website about doing that in sql http://www.codeproject.com/Articles/610089/SQL-Servers-FORMAT-function#13 . Every Language has an easy to use method to convert strings to and from hexadecimal. This will enable you to place any character you want in the string.

If you are actually using percentages in a mathematical type of way, it is not proper to store them in your sql string. You should store it in decimal format. decimal(p,s) example decimal(5,2)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP/MySQLi using a string array in WHERE IN clause with prepared statements Using date in the where clause, MYSQLI Using PHP mysqli: where clause in bind_param might be NULL Using PHP and MySQLi to sort data with WHERE clause date before and after PHP MySQLi prepare/bind where-clause Order by After Where clause not working in MySQLi PHP MySQLi join using date(now()) in where clause Mysqli Where Clause Error PHP/MySQLi - looping through an array to build dynamic WHERE clause which quotes should be used to write a WHERE clause in this php mysqli query?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM