1.什么是SQL注入,猛戳wikipedia查看
2.本地测试代码:
如果表单提交正确,就打印hello,“username”
否则,打印“404 not found!”
<?php require 'config.php'; $DBConnection = mysql_connect ( "$dbhost", "$dbuser", "$dbpwd" ); mysql_select_db ( "$dbdatabase" ); if(isset($_GET['submit']) && $_GET['submit']){ $sql="select * from test where name='".$_GET['username']."'and password='".$_GET['password']."'"; //echo $sql;exit; $result=mysql_query($sql,$DBConnection); $num=mysql_num_rows($result); if($num>=1) { echo "hello,".$_GET['username']; } else { echo"404 not found"; } } ?> <form action="login.php" method="GET"> <table> <tr> <td>username</td> <td><input type="textbox" name="username"/></td> <td>password</td> <td><input type="textbox" name="password"></td> <td>submit</td> <td><input type="submit" name="submit"></td> </tr> </table> </form> |
3.浏览器界面显示:
4.重头戏,sql注入:
