MySQL 如何使用 SQL 注入更新表?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3890091/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can i update a table using SQL Injection?
提问by Fero
How can i able to update a table in a MySQL database using SQL Injection?
如何使用 SQL 注入更新MySQL 数据库中的表?
I have heard about how we can enter the query in the address bar and it is possible to update a table in the MySQL database. But I am not sure about it.
我听说过如何在地址栏中输入查询,并且可以更新 MySQL 数据库中的表。但我不确定。
Kindly give me an idea professionals...
请专业人士给我出主意...
回答by Daniel Vassallo
You may want to try entering Robert'); DROP TABLE students; --in your form :)
您可能想尝试输入Robert'); DROP TABLE students; --您的表单:)
In the above xkcd cartoon, Bobby was probably asked to fill in his name in a form, but he mischievously inserted Robert'); DROP TABLE students; --as his name. Now imagine if that input was used in this query:
在上面的xkcd卡通中,Bobby很可能被要求在一个表格中填写他的名字,但他顽皮地插入Robert'); DROP TABLE students; --了他的名字。现在想象一下,如果在此查询中使用了该输入:
SELECT * FROM students WHERE name = '$input'
As you can see, if we substitute $inputfor what Bobby entered, you'll get this
如您所见,如果我们替换$inputBobby 输入的内容,您会得到这个
SELECT * FROM students WHERE name = 'Robert'); DROP TABLE students; --'
Which are two very valid SQL commands, and a comment.
这是两个非常有效的 SQL 命令和一个注释。
You may also want to research earlier Stack Overflow questions on SQL Injection.
您可能还想研究有关 SQL 注入的早期堆栈溢出问题。
