'OR 1=1is an attempt to make a query succeed no matter what
The /*is an attempt to start a multiline comment so the rest of the query is ignored.

'OR 1=1是企图使查询成功，不管是什么
的/*是为了让查询的其余部分被忽略，开始多行注释的尝试。

An example would be

一个例子是

SELECT userid 
FROM users 
WHERE username = ''OR 1=1/*' 
    AND password = ''
    AND domain = ''

As you can see if you were to populate the username field without escaping the 'no matter what credentials the user passes in the query would return all userids in the system likely granting access to the attacker (possibly admin access if admin is your first user). You will also notice the remainder of the query would be commented out because of the /*including the real '.

正如您所看到的，如果您要在不转义的情况下填充用户名字段，'无论用户在查询中传递什么凭据都将返回系统中可能授予攻击者访问权限的所有用户 ID（如果 admin 是您的第一个用户，则可能是管理员访问权限）。您还会注意到查询的其余部分将被注释掉，因为/*包含真实的'.

The fact that you can see the value in your database means that it was escaped and that particular attack did not succeed. However, you should investigate if any other attempts were made.

您可以在数据库中看到该值的事实意味着它已被转义并且该特定攻击没有成功。但是，您应该调查是否进行了任何其他尝试。

It probably aimed to select all the informations in your table. If you use this kind of query (for example in PHP) :

它可能旨在选择表中的所有信息。如果您使用这种查询（例如在 PHP 中）：

mysql_query("SELECT * FROM newsletter WHERE email = '$email'");

The email ' OR 1=1/* will give this kind of query :

电子邮件 ' OR 1=1/* 将给出这种查询：

mysql_query("SELECT * FROM newsletter WHERE email = '' OR 1=1/*");

So it selects all the rows (because 1=1 is always true and the rest of the query is 'commented'). But it was not successful

因此它选择所有行（因为 1=1 始终为真，并且查询的其余部分被“注释”）。但它没有成功

• if strings used in your queries are escaped
• if you don't display all the queries results on a page...

• 如果您的查询中使用的字符串被转义
• 如果您不在页面上显示所有查询结果...

The specific value in your database isn't what you should be focusing on. This is likely the result of an attacker fuzzingyour system to see if it is vulnerable to a set of standard attacks, instead of a targeted attack exploiting a known vulnerability.

数据库中的特定值不是您应该关注的。这很可能是攻击者对您的系统进行模糊测试以查看它是否容易受到一组标准攻击的结果，而不是利用已知漏洞的有针对性的攻击。

You should instead focus on ensuring that your application is secure against these types of attacks; OWASP is a good resource for this.

相反，您应该专注于确保您的应用程序对这些类型的攻击是安全的；OWASP 是一个很好的资源。

If you're using parameterized queries to access the database, then you're secure against Sql injection, unless you're using dynamic Sql in the backend as well.

如果您使用参数化查询来访问数据库，那么您可以防止 Sql 注入，除非您也在后端使用动态 Sql。

If you're not doing this, you're vulnerable and you should resolve this immediately.

如果您不这样做，您很容易受到攻击，您应该立即解决这个问题。

Also, you should consider performing some sort of validation of e-mail addresses.

此外，您应该考虑对电子邮件地址执行某种验证。

Its better if you use validation code to the users input for making it restricted to use symbols and part of code in your input form. If you embeed php in html code your php code have to become on the top to make sure that it is not ignored as comment if a hacker edit the page and add /* in your html code

如果您对用户输入使用验证代码以使其限制在输入表单中使用符号和部分代码，则更好。如果您在 html 代码中嵌入 php，则您的 php 代码必须位于顶部，以确保在黑客编辑页面并在您的 html 代码中添加 /* 时不​​会将其作为注释忽略