Reference: https://www.jianshu.com/p/3fe7904683ac

Environmental Science

wampserver2.5-Apache-2.4.9-Mysql-5.6.17-php5.5.12-32b

PS: I only have this version of wamp environment that can be successfully re-injected. In the version of phpstudy, there is an escape. If the escape is added when the data is inserted, the dirty data stored in the database is also escaped.

sql secondary injection principle:

When inserting data into the database for the first time, only addslashes or get_magic_quotes_gpc are used to escape the special characters. The original data is retained when writing to the database, but the data itself is dirty. When the next query is needed, dirty data is directly extracted from the database without further checking and processing, which will result in the second injection of SQL.
For example, when data is inserted for the first time, the data is inserted directly into the database with a single quotation mark, and then in the next use, in the process of patching up, a secondary injection is formed.

Example 1

Section 24 of sqli-labs

$username = mysql_real_escape_string($_POST["login_user"]);
$password = mysql_real_escape_string($_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
//You cannot inject SQL by using `mysql_real_escape_string'for escape processing.

• Register an admin'# account
  
  
• Log in with admin'# and change the password to 123
  You can see that admin's password was changed from admin to 123
  
  

$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' "; 
This is because the database update statement above executes when the user name is "admin'#": 
$sql = "UPDATE users SET PASSWORD='$pass' where username='admin'#' and password='$curr_pass' ";

Example 2

A Simple demo
Create a database

mysql> create database demo;
mysql> use demo;
mysql> create table story(id int(10) NOT NULL AUTO_INCREMENT,title varchar(50) NOT NULL,author varchar(30) NOT NULL,description varchar(300) NOT NULL,content varchar(888) NOT NULL,PRIMARY KEY (id));

• connect.php

<?php
$dbuser ='root';
$dbpass ='xxxx';
$dbname ="demo";
$host = 'localhost';
$dbname1 = "story";

$con1 = mysqli_connect($host,$dbuser,$dbpass,$dbname);
if (mysqli_connect_errno($con1))
{
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>

• inser.php

<?php
   include('connect.php');
   $title=addslashes($_POST['title']);  //addslashes escapes predefined strings
   echo $title;
   $author=addslashes($_POST['author']);
   $description=addslashes($_POST['description']);
   $content=addslashes($_POST['content']);
   $insert="INSERT INTO story(title,author,description,content) VALUES('$title','$author','$description','$content')";
   echo $insert;
   //mysqli_query("set names utf8"); //set encoding
   $result=mysqli_query($con1,$insert);

   if($result){
      echo "success!!!";
   }else{
      echo "default!";
   }
 ?>

• connect.php

 <!DOCTYPE html>
 <html>
   <head>
     <meta charset="utf8">
     <title>La la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la la</title>
   </head>
   <body>
    <?php
    include('connect.php'); //Introducing database configuration files
    $id=$_GET['id']; 
    $select_sql="SELECT * FROM story WHERE id='$id'";
    //echo $select_sql;
    $select_sql_result=mysqli_query($con1,$select_sql);
    while($date=mysqli_fetch_array($select_sql_result)){
          echo 'Title:'.$date['title'].'</br>';
          echo 'author:'.$date['author'].'</br>';
          echo 'Summary:'.$date['description'].'</br>';
          echo 'text:'.$date['content'].'</br>';
    }
    ?>
   </body>
 </html>

The method is similar to Example 1.