更新时间:2023-02-05 21:57:52
在我看来,用户输入的内容将包含在单引号内
It seems to me like the input from the user would be contained inside the single quotes
除非您在发布的name
中包含单引号,否则将使您不使用引号.例如,将名称发布为:
It would unless you include single quotes in the posted name
, which would allow you to break out of the quotes. Example, post the name as:
' or 1 or '
WHERE子句变为:
The WHERE clause becomes:
WHERE id = '' or 1 or '';
由于or 1
部分,这将匹配并检索表中的所有行.如您所见,它突破了引号,注入了一些SQL,然后又回到了引号中,以使查询有效.
This would match and retrieve all rows in the table because of the or 1
part. As you can see, it breaks out of the quotes to inject some SQL, then it goes back into the quotes to make the query valid.
您可以在一个
mysqli_query
语句中执行多个查询吗?
Can you execute more than one query in one
mysqli_query
statement?
否,但是如果使用mysqli_multi_query
执行,则可以在末尾添加多个查询.
No, but if it was executed with mysqli_multi_query
then yes you could add multiple queries on to the end.
使上述安全性与
mysqli_real_escape_string
一样容易吗?
通常是的,但是准备声明会更好.使用转义,WHERE
子句将变为(使用上面的示例):
Generally yes but a Prepared Statement would be better. Using escaping, the WHERE
clause would become (using my example above):
WHERE id = '\' or 1 or \'';
这不再是脆弱的,因为引号不能被打断,并且仅当name
字面匹配' or 1 or '
时才匹配行,这显然是不可能的.
This is no longer vulnerable because the quotes can't be broken out of, and would only match rows if the name
literally matches ' or 1 or '
which is obviously unlikely.