此处描述的 INSERT 上的 SQL 注入似乎不适用于 MySQL.INSERT 上的 SQL 注入
The SQL Injection on INSERT as described here doesn't seem to work with MySQL. SQL injection on INSERT
当我使用这个语句时:
INSERT INTO COMMENTS VALUES('122','$_GET[value1]');
以此作为'value1'变量值:
With this as the 'value1' variable value:
<代码>');从用户中删除;--
返回此错误:
错误:您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以获取在删除用户"附近使用的正确语法;--')' 在第 1 行
怎么了???
PS:有人建议我用这个作为变量值进行 SQL 注入:
PS: Someone suggested me to do an SQL injection with this as variable value:
',(SELECT group_concat(table_name) FROM information_schema.tables INTO OUTFILE '/var/www/tables.txt'))--
但它也不起作用,并返回语法错误.
But it didn't work either, and returned a syntax error.
您的注入将单个 SQL 语句 (INSERT ...
) 转换为多个 SQL 语句 (INSERT ...;删除...
).
Your injection turns a single SQL statement (INSERT ...
) into multiple SQL statements (INSERT ...; DELETE ...
).
但是,PHP mysql API 不支持多条语句一个查询.(底层 MySQL C API 必须明确指示支持此功能,您的绑定不支持.)
However, the PHP mysql API does not support multiple statements in a single query. (The underlying MySQL C API must be explicitly instructed to support this functionality, which your bindings do not do.)
这篇关于INSERT 上的 SQL 注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!