1. Introduction to SQL Injection
SQL injection is a technique for malicious users to inject SQL commands through Web pages using SQL statements. Attackers can bypass user authentication and access restrictions, modify and delete data in the database. In some cases, SQL injection can even be used to execute operating system-level commands, and attackers invading the intranet may pose a greater threat.
The principle of SQL injection is that the user's input data (which may be GET or POST parameters, or Cookies, HTTP headers, etc.) is not effectively filtered during development, and is directly brought into SQL statement analysis, so that the content that should have been parameter data, However, it is used to splicing SQL statements for parsing, that is, parsing data as code, which eventually leads to SQL injection vulnerabilities.
Next, let's look at a simple SQL statement:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1It can be clearly seen that this SQL statement obviously refers to querying from the user table, and checking the first column of the first table with the input id.
At this time, if we add to the url:
?id=1'#What does this mean? It's very simple. 1 stands for Yongzhen, ' This single quotation mark is to form a closure with the single quotation mark in front of the id in the original SQL statement. #What does the hash sign mean? I believe some people have already guessed it. This symbol acts as a comment. Comment out all the following things so that your payload can be smoothly spliced into the sql statement.
We usually use ?id=1 and 1=1 and ?id=1 and 1=2 first to judge whether it is a digital closure. If the interfaces for entering these two statements are different. Then it shows that this is a numeric closure, otherwise it shows that it is a character closure.
If the digital type is closed, we can directly use ?id=1