[個案 1] 以 -- injection
Code
$query = "SELECT * FROM products WHERE category_id = $category AND released = 1";
當 $category 是 "1--" 時, 就無視要條件 "released = 1"
[個案 2] 以 ' injection
Code
$query = "SELECT * FROM products WHERE category_id = '$category' AND released = 1";
當 "$category=' OR 1=1", 就無視要條件 "released = 1"
[個案 3] OR 1=1
Code
"SELECT * FROM Users WHERE UserId = " + UserId;
當 "UserId=1 OR 1=1", 就會 Select 晒所有 User
[個案 4] " OR ""="
Code
sql ='SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'
當
uName:
uPass: " OR ""="
SELECT * FROM Users WHERE Name ="" AND Pass ="" OR ""=""
... AND ... OR TRUE
所以會返回整個 Users Table