Sqli-labs in the game, often using - + Notes on the final part of the excess, and in the Notes to mysql # and - can not be used directly, mysql never learned before, has been do not understand, I do not know the + the role of today have time to specifically explore a bit, be it out why.
Source: https: //www.cnblogs.com/laoxiajiadeyun/p/10274780.html
First off Example:
Add the following two lines in the source code, web pages can echo the effective input and mysql statements executed our input, facilitate the analysis:
A first transfer bar off normal address parameters as follows:
Guess the number of columns when using the payload:
the screen Valid entries:
here try to use the # or - find sql statement executed no number使用#号
#
The reason is that the url is used to guide the # browser actions (eg anchors), server-side completely useless. Therefore, HTTP request does not include#
# Url into the number coding %23
on it使用--
使用--+
Contrast the above - the effect here was found +
numbers into a space in the statement. And back to the single quotation marks spaced behind the comment statements.
Understand the principles after know --
the reason can not be used, because the --
connection to the back of the single quotes together, can not form an effective mysql statement.
This statement in the analysis mysql reason, press enter is not closed display semicolon
So in addition to the injection we use --+
, but also can be used --'
to complete the statement sql injection
Successful implementation!