2017-01-16 68 views
-3

我的PHP代碼:這個mysql查詢如何工作?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
    <head> 
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
     <title>Less-1 SqL Injection master Course by Hitesh Choudhary</title> 
     <link rel="stylesheet" href="../index.html_files/freemind2html.css" type="text/css"/> 
    </head> 
    <body> 
     <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center"> 
      <h1><span class="style1">Welcome </span><font color="#FF0000">to SQL injection Master Course </font></h1> 
      <h1><span class="style2">Lesson-1</span></h1> 
      <h1><span class="style4">Hint : Error based string</span> <br> 
       <font size="3" color="#666666"> 
       <?php 
        //including the Mysql connect parameters. 
        include("../sql-connections/sql-connect.php"); 

        // take the variables 
        if(isset($_GET['id'])) 
        { 
         $id=$_GET['id']; 
         //logging the connection parameters to a file for analysis. 
         //$fp=fopen('result.txt','a'); 
         //fwrite($fp,'ID:'.$id."\n"); 
         //fclose($fp); 

         // connectivity 

         $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; 
         $result=mysql_query($sql); 
         $row = mysql_fetch_array($result); 

          if($row) 
          { 
           echo '<font color= "#0000ff">'; 
           echo 'Your Login name:'. $row['username']; 
           echo "<br>"; 
           echo 'Your Password:' .$row['password']; 
           echo "</font>"; 
          } 
          else 
          { 
           echo '<font color= "#900">'; 
           print_r(mysql_error()); 
           echo "</font>"; 
          } 
         } 
         else { echo "Please input the ID as parameter with numeric value";} 

       ?> 
       </font> 
      </h1> 
     </div> 
     <img border="0" src="img1.gif" alt="funny" width="200" height="200"> 
     <div class="botton_fix">For more please visit : <a href="http://www.hiteshchoudhary.com" target="_blank">www.hiteshchoudhary.com</a></div> 
     </br></br></br> 
     <center> 
     </center> 
    </body> 
</html> 

我試圖SQL中使用下面的查詢

localhost/example/Less-1/index.php?id=1 order by 100

結果是用戶名注入此頁:一些和密碼:一些

localhost/example/Less-1/index.php?id=1

結果是用戶名:一些和密碼:一些

我也檢查了$id=2,3,...等,它正常工作 它爲什麼這樣工作?我應該得到一個錯誤嗎?

+0

我首先建議你不要使用棄用的API mysql_ *,但要使用myslqi_ *或更好的PDO。 Mysql_ * API已在PHP v7中刪除 –

+0

我想你錯過了單引號。嘗試ocalhost/example/Less-1/index.php?id = 1'; DROP TABLE用戶; # – Alex

回答

0

我不知道,你將如何連接你的數據庫和使用連接..所以我寫了數據庫連接代碼..請嘗試使用它,讓我知道,如果你有任何問題。 :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
    <head> 
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
     <title>Less-1 SqL Injection master Course by Hitesh Choudhary</title> 
     <link rel="stylesheet" href="../index.html_files/freemind2html.css" type="text/css"/> 
    </head> 
    <body> 
     <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center"> 
      <h1><span class="style1">Welcome </span><font color="#FF0000">to SQL injection Master Course </font></h1> 
      <h1><span class="style2">Lesson-1</span></h1> 
      <h1><span class="style4">Hint : Error based string</span> <br> 
       <font size="3" color="#666666"> 


       <?php 


       // include("../sql-connections/sql-connect.php"); 


       if (!$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')) { 
         echo 'Could not connect to mysql'; 
         exit; 
        } 

        if (!mysql_select_db('mysql_dbname', $link)) { 
         echo 'Could not select database'; 
         exit; 
        } 

        $sql = "SELECT * FROM users WHERE id='".$id."' LIMIT 0,1"; 
        $result = mysql_query($sql, $link); 

        if (!$result) { 
         echo "DB Error, could not query the database\n"; 
         echo 'MySQL Error: ' . mysql_error(); 
         exit; 
        } 

        while ($row = mysql_fetch_assoc($result)) { 
         echo '<font color= "#0000ff">'; 
           echo 'Your Login name:'. $row['username']; 
           echo "<br>"; 
           echo 'Your Password:' .$row['password']; 
           echo "</font>" 
        } 

        mysql_free_result($result); 




       ?> 
       </font> 
      </h1> 
     </div> 
     <img border="0" src="img1.gif" alt="funny" width="200" height="200"> 
     <div class="botton_fix">For more please visit : <a href="http://www.hiteshchoudhary.com" target="_blank">www.hiteshchoudhary.com</a></div> 
     </br></br></br> 
     <center> 
     </center> 
    </body> 
</html> 
+1

謝謝。有效 –

0

數據庫查詢在這種情況下不會拋出任何錯誤。你必須拋出異常,如果ID不等於會話ID

if ($_GET['id'] != $_SESSION['id']) { 
    throw \Excetption("You don't have access."); 
}