SQL Injection Username and Password

This question already has an answer here:

How does the SQL injection from the “Bobby Tables” XKCD comic work? 12 answers

---

your problem is located in the select statement:

SELECT * FROM users WHERE username='$username' AND password='$password'

Imagine a user providing the name ' OR 1=1 LIMIT 1 -- (note the space after -- ) It would always exactly return ONE result row - so the login is valid, cause the query executed would be:

SELECT * FROM users WHERE username='' OR 1=1 LIMIT 1 -- ' AND password='$password' 

mysql will ignore the comment, so the query is:

SELECT * FROM users WHERE username='' OR 1=1 LIMIT 1

You should escape the values before using them:

$username = mysqli_real_escape_string($link, $_POST["username"]);

---

See this fiddle as example: http://sqlfiddle.com/#!2/fd8be/1 (One resultrow -> Your logic would say: "Logged in!" - without even knowing any username and/or password.)

链接地址: http://www.djcxy.com/p/93810.html

上一篇: SqlParameter对象C＃

下一篇: SQL注入用户名和密码