我正在练习SQL注入。
http://localhost/injection/index.php?id=1%3BDELETE+FROM+users
通过此注入,只有第一个代码有效。
使用第二个代码得到此错误: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM users' at line 3
$pdo = new PDO('mysql:host=localhost;dbname=injection', 'root', '');
$id = $_GET['id'];
$statement = $pdo->query("SELECT * FROM users WHERE id = ".$id."");
$row = $statement->fetch(PDO::FETCH_ASSOC);
echo htmlentities($row['users']);
require_once("conn.php");
$id = $_GET['id'];
$query = "SELECT *
FROM users
WHERE id = ".$id."";
$result = mysqli_query($conn,$query) or die("Error: ".mysqli_error($conn));
$row = mysqli_fetch_array($result);
echo htmlentities($row['users']);
似乎mysqli_query不支持多个查询。您应该尝试使用 mysqli_multi_query() ,但从安全的角度来看,这不是一个好主意。