This is a classic SQL injection.

这是一个经典的 SQL 注入。

See this fiddle while I explain it: SQLfiddle

在我解释它的同时看到这个小提琴：SQLfiddle

In this example, there are 5 users being added to the table. Your query is then run. The expected result would be to return the password value for the adminuser only.

在此示例中，有 5 个用户被添加到表中。然后运行您的查询。预期的结果是admin仅为用户返回密码值。

However, by adding 1=1, which is a true statement, all passwords are returned.

但是，通过添加1=1，这是一个真实的语句，将返回所有密码。

Another way to help visualize this, is to add parenthesis so that you can see how everything is evaluated.

另一种帮助形象化的方法是添加括号，以便您可以查看所有内容的评估方式。

SELECT pass FROM users WHERE (user_name = 'admin')              OR (1=1) -- '
                                 ^ Pulls only the admin user        ^ Pulls everything because 1=1

So, we are selecting the password from the table where the user name is admin. We are also pulling the password from the table where ever 1=1 - which is always true. Each row is evaluated to true, thus all passwords are returned.

因此，我们从用户名为 的表中选择密码admin。我们还从表中提取密码，只要 1=1 - 这总是正确的。每一行都被评估为真，因此返回所有密码。

The final -- 'is used to comment out the rest of your query.

final-- '用于注释掉查询的其余部分。

SELECT pass from users WHERE user_name = 'admin' or (1=1) -- 'and permission='superadmin'

Normally, (if the 1=1hadn't been injected), you'd pull the password for the user with user_name of admin and superadmin permissions. You've now commented that out, and it isn't executed. This is how the entire table of passwords can be returned.

通常，（如果1=1尚未注入），您会为具有 admin 和超级管理员权限的 user_name 的用户提取密码。您现在已将其注释掉，但并未执行。这就是可以返回整个密码表的方式。

The result of a logical ORis as following:

逻辑结果OR如下：

a     | b     | a OR b
-----------------------
false | false | false
false | true  | true
true  | false | true
true  | true  | true

The result of a OR b evaluates to true, if one of the operands is true.

如果操作数之一为真，则 a OR b 的结果为真。

1 = 1 evaluates to true

=>

=>

(any expression) OR 1 = 1 evaluates to true

=>

=>

name = 'admin' OR 1 = 1 

evaluates to true for every row of your table

对表的每一行评估为真

Result:

结果：

SELECT password FROM tbl_users WHERE name = 'admin' OR 1=1 -- '

will return the passwords for all users, not only for admin, because as stated by PeeHaa

将返回所有用户的密码，不仅仅是管理员，因为正如 PeeHaa 所说

--

is the begin of a sql comment.

是 sql 注释的开始。

There are 2 possible confusions I can imagine you experiencing here. The first is, as others have mentioned, expr1 OR expr2returns true whenever eitherexpr1or expr2is true. Since 1=1is always true, your WHEREstatement will be true for every record in the table.

我可以想象您在这里遇到了两种可能的困惑。首先是，正如其他人所提到的，expr1 OR expr2返回真每当要么expr1或者expr2是真实的。由于1=1始终为真，因此您的WHERE语句对于表中的每条记录都为真。

The second thing you might be confused about is that last -- 'in the query. The --is the SQL equivalent of //in PHP; it indicates that the rest of the line is a comment and should be ignored. So the SQL interpreter is only reading SELECT password FROM tbl_users WHERE name = 'admin' OR 1=1and ignoring the rest of the line, which is why that trailing single quote isn't causing a syntax error.

您可能会感到困惑的第二件事是-- '查询中的最后一个。该--是SQL等价的//PHP中; 它表示该行的其余部分是注释，应该被忽略。所以 SQL 解释器只读取SELECT password FROM tbl_users WHERE name = 'admin' OR 1=1并忽略该行的其余部分，这就是为什么尾随单引号不会导致语法错误的原因。

The only security risk here is if you are passing unescaped user input to SQL. Always escape any user input with mysqli_real_escape_stringor an equivalent function before using it in an SQL query.

这里唯一的安全风险是您是否将未转义的用户输入传递给 SQL。在 SQL 查询中使用之前，始终使用mysqli_real_escape_string或等效函数对任何用户输入进行转义。

Edit: As pointed out in the comments, parameterized queries are generally a better practice than escaping each input element manually. PHP's PDOextension is a good place to start with this approach.

编辑：正如评论中所指出的，参数化查询通常比手动转义每个输入元素更好。PHP 的PDO扩展是开始使用这种方法的好地方。

The last part -- 'is comment, so MySQL doesn't care. So we have no left

最后一部分-- '是注释，所以 MySQL 不关心。所以我们没有剩下

SELECT password FROM tbl_users WHERE name = 'admin' OR 1=1

In this query 1=1is true because 1 is the same is 1. It could be here of course another true expressions as for example 2=2or 'a'='a'- the result will be always the same.

在此查询中1=1为真，因为 1 与 1 相同。当然，这里可能是另一个真表达式，例如，2=2或者'a'='a'- 结果将始终相同。

So your query could look like this:

因此，您的查询可能如下所示：

SELECT password FROM tbl_users WHERE name = 'admin' OR true

Operator ORworks this way that if any of conditions is true it means that the whole expression is true. In expression name = 'admin' OR trueone expression is true (true is true) so this whole expressions is true

运算符的OR工作方式是，如果任何条件为真，则表示整个表达式为真。在表达式中，name = 'admin' OR true一个表达式为真（真为真）所以整个表达式为true

So the query now could be

所以现在的查询可能是

SELECT password FROM tbl_users WHERE true

Now if we look at WHERE part we have WHERE true. It means de facto there is no condition, so we can change query into:

现在，如果我们看看 WHERE 部分，我们有WHERE true. 这意味着事实上没有条件，因此我们可以将查询更改为：

SELECT password FROM tbl_users

So as you see your query simple get column passwordfor each records in your table (probably for all users)

因此，当您看到您的查询简单获取password表中每条记录的列时（可能适用于所有用户）

I think you are looking for 'AND' instead of 'OR'

我认为您正在寻找“AND”而不是“OR”

'OR' means that one of the conditions (WHERE name = 'admin' OR 1=1) must be true, and in this case, it is returning everything that has name equal to 'admin', or that has 1 equal to 1.

'OR' 表示条件之一（WHERE name = 'admin' OR 1=1）必须为真，在这种情况下，它返回名称等于 'admin' 或 1 等于 1 的所有内容.

Try using this instead:

尝试改用这个：

SELECT password FROM tbl_users WHERE name = 'admin' AND 1=1