| |
SQL injection statements sometimes use an alternate query technology, it is to make the results of the original query finding mistakes, and let's have constructed query execution, and the execution results instead of the original query query results are displayed.
For example: the original query is select username, email, content from test_table where user_id = uid; where uid, is entered by the user. Results appear normal display the user name, the user's mailbox, the user message content. However, if the filter uid lax, we can construct the following SQL statement to obtain any data table information.
uid = -1 union select username, password, content from test_talbe where user_id = administrator id;
The actual implementation is select username, email, content from test_table where user_id = -1 union select username, password, content from test_talbe where user_id = administrator id; which displays a normal user emai place, became the administrator's password.
But often things are not so simple, first of all to find loopholes, followed by construction of such a statement when you want to consider the type of each field, so int or samllint type varchar field displays clearly inappropriate. This article is the final say.
If a problem occurs in SQL statements only one or two fields how do we want to know a lot of things, one or two fields too small, can not meet our needs. Then we can use concat function.
concat function could have been so used SELECT CONCAT ( 'My', 'S', 'QL'); execution result is 'MySQL'. Which is connected to the role. We use it to serve us,
uid = -1 union select username, concat (password, sex, address, telephone), content from test_talbe where user_id = administrator id;
This statement actually query the six fields, but the time is displayed, the password, sex, address, telephone and other fields together, displayed in the original email should show place. |
|
|
|