php - 本地主机上的 SQL 注入(inject)不起作用-6ren

php - 本地主机上的 SQL 注入(inject)不起作用

转载作者：行者123 更新时间：2023-11-29 10:37:38

因此，我尝试设计一个非常简单且易受攻击的网站来演示 SQL 注入(inject)的工作原理，但是当我尝试使用

进行注入(inject)时

');SELECT * FROM users;--

我收到一条错误消息，指出:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT * FROM users;--')' at line 1

源代码如下:

welcome1.html:

<form action="test.php" method="get">  
  <div><label for="firstname">First name:  
    <input type="text" name="firstname" id="firstname"/></label>  
  </div>  
  <div><label for="lastname">Last name:  
    <input type="text" name="lastname" id="lastname"/></label></div>  
	<div><label for="email">E-mail : 
    <input type="text" name="email" id="email"/></label></div>  
	<div><label for="password">password:  
    <input type="text" name="password" id="password"/></label></div>  
  <div><input type="submit" value="GO"/></div>  
</form>

测试.php:

<html>
<body>
 
 
<?php
$con = @mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect ' . mysql_error());
  }
 
mysql_select_db("accounts", $con);
$firstname = $_GET['firstname'];  
$lastname = $_GET['lastname']; 
$email = $_GET['email'];  
$password = $_GET['password']; 
$sql="INSERT INTO users(firstname, lastname, email, password)
VALUES
('$firstname','$lastname','$email','$password')";



if(!mysql_query("INSERT INTO users(firstname, lastname, email, password) VALUES ('$firstname','$lastname','$email','$password')"))
  {
  die('Error: ' . mysql_error());
  }

echo "1 record added";
 
mysql_close($con)
?>
</body>
</html>