数据库连接: - $dsn = "mysql:dbname=test;host=localhost";
-
$user = "test";
-
$password = "test";
-
-
try{
-
$dbh = new pdo($dsn, $user, $password);
-
} catch (PDOException $e){
-
echo "Connetion failed: " . $e->getMessage();
-
}
-
$dbh->exec("SET NAMEs 'utf8'");
- echo "
--------------------------------------------
";
-
$sql = "SELECT * from `c_conf` WHERE `var_name`=:vid";
-
-
$ph = $dbh->prepare($sql);
-
$ph->execute(array('vid'=>'var1'));
-
$result = $ph->fetchAll();
-
echo "
\n";
-
var_dump($result);
结果:
- array(1) { [0]=> array(16) { ["varid"]=> string(1) "1" [0]=> string(1) "1" ["pluginid"]=> string(1) "2" [1]=> string(1) "2" ["title"]=> string(15) "第二个插件" [2]=> string(15) "第二个插件" ["desc"]=> string(21) "这是第二个插件" [3]=> string(21) "这是第二个插件" ["var_name"]=> string(4) "var1" [4]=> string(4) "var1" ["type"]=> string(4) "text" [5]=> string(4) "text" ["value"]=> string(6) "abcdef" [6]=> string(6) "abcdef" ["extra"]=> string(0) "" [7]=> string(0) "" } }
一、添加OR等条件:
结果可以查到var_name为var1的记录。
把execute修改为:$ph->execute(array('vid'=>'"var1" OR 1=1'));
则是查询不到任何记录,返回:array(0) {
}
二、多个查询注入
$ph->execute(array('vid'=>'"var1"; SELECT * FROM `c_conf`;'));
查询结果仍然是空。
阅读(2317) | 评论(0) | 转发(0) |