Question

0 0

模拟sql注入，为啥没成功？


 <form action="" method="post">
        <input type='text' name='text'>
        <input type='submit' value='tj'>
    </form>
    </body>
    </html>

    <?php

        if($_POST){
            $text = $_POST['text'];
            $sql="INSERT INTO aa (cate) VALUES ('" . $text . "')";
            mysql_query($sql);
        }
    ?>

我验证了代码没有问题，也打印出了sql语句
INSERT INTO aa (cate) VALUES ('value'); DROP TABLE aa;--')
也确认了php.ini 的magic_quotes_gpc = Off
但是表aa还是完好的在库里。为什么？

sql注入 php mysql

9 years, 10 months ago

sendoh

share

sendoh 9 years, 10 months ago

Answer 1

0

mysql_query()应该是不可以执行带;的语句吧。

你可以试试用or 1这样的注入。

answered 9 years, 10 months ago

pptp1

share

pptp1 answered 9 years, 10 months ago

模拟sql注入，为啥没成功？

sendoh

Answers

pptp1

Your Answer