我必須創建一個可以注入SQL的應用程序,但是我不能讓SQL注入成爲可能。我嘗試了所有的SQL注入,但我沒有成功。可以編寫像admin'#
這樣的用戶名,因爲這會註釋掉該行。爲什麼不能SQL注入?
我希望你能幫助我。你可以在下面看到我的代碼。
<?php
include('include/config.php');
include('parts/header.php');
$submit = $_POST['submit'];
$username = $_POST['username'];
$password = $_POST['password'];
if ($submit) {
if(!empty($username OR !empty($password))) {
$sqlQuery = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
if(mysql_num_rows($sqlQuery) == 1) {
// Success - admin'#
echo "LOGGEDIN";
$_SESSION['loggedin'] = 1;
}
else {
echo "Wrong password or username";
}
}
else {
echo "You didn't fill every field.";
}
}
?>
<div id="container">
<form action="login.php" method="POST">
<input type="text" name="username" placeholder="Type user name...">
<input type="password" name="password" placeholder="Type password...">
<input type="submit" name="submit" value="Log in">
</form>
</div>
這是託管在活的網站的某個地方? – RamRaider
你的AND條件使它始終爲假 –
你試圖注入它的是什麼? – Phiter