sqli-Labs————less-37

Less-37

查看一下源代码：

	
	



 Welcome   Dhakkan 





 


	
Username :    
	    
	
  
	
 Password  :    
	   
	

	

	    
	
















";
        //echo "Input password before addslashes is : ".$passwd1. "
";
        
	//logging the connection parameters to a file for analysis.
	$fp=fopen('result.txt','a');
	fwrite($fp,'User Name:'.$uname1);
	fwrite($fp,'Password:'.$passwd1."\n");
	fclose($fp);
        
        $uname = mysql_real_escape_string($uname1);
        $passwd= mysql_real_escape_string($passwd1);
        
        //echo "username after addslashes is :".$uname ."
";
        //echo "Input password after addslashes is : ".$passwd;    

	// connectivity 
	mysql_query("SET NAMES gbk");
	@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '';	
  		
  		echo "
";
		echo '';
		//echo " You Have successfully logged in\n\n " ;
		echo '';	
		echo "
";
		echo 'Your Login name:'. $row['username'];
		echo "
";
		echo 'Your Password:' .$row['password'];
		echo "
";
		echo "";
		echo "
";
		echo "
";
		echo '';	
		
  		echo "";
  	}
	else  
	{
		echo '';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "
";
		echo "
";
		echo "
";
		echo '';	
		echo "";  
	}
}

?>








";
echo "Hint: The Password you input is escaped as : ".$passwd ."
";
?>

过滤函数：

  $uname = mysql_real_escape_string($uname1);
  $passwd= mysql_real_escape_string($passwd1);

sql语句：

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

根据以上过滤函数以及SQL语句，我们直接使用之前所用过的万能密码来突破一下：

username：�' or 1=1#

password：aaa

小结：对于过滤'\常用的三种方式是replace、addslashes、mysql_real_escape_string（）。但是这三种方式仅仅依靠一个函数是不能完全防御的，我们在编写代码的时候需要更加的严谨。