开发者

what does /* in sql means?

I have seen a piece of sql injection example code like below, what does the '/*' in sql means?

$_POST['username'] = chr(0xbf) . chr(0x27) . '开发者_如何转开发 OR username = username /*';

$_POST['password'] = 'guess';

$mysql['username'] = addslashes($_POST['username']);

$mysql['password'] = addslashes($_POST['password']);

$sql = "SELECT * FROM   users WHERE  username = '{$mysql['username']}' AND password = '{$mysql['password']}'";

$result = $db->query($sql);


/* is the beginning of a comment. */ ends the comment. The attacker is trying to comment out the remainder of the query.


/* begins a comment, so everything after that is ignored until a */ is encountered

Your attacker introduced an open comment, thereby nullifying the effect of the password check


/* means a start of a multiline comment

For example:

/*

CREATE PROC A_SAMPLE_PROC

BEGIN

AS
SELECT * FROM A_SAMPLE_TABLE
END

*/

while -- means single line comment. Keyboard shortcut for commenting in MS SQL Server Studio is Ctrl + K, Ctrl + C

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜