I have known my eviLOctal Weblog's brothers know that there is such a day in my schedule.
Summary in the Union query in Injection
But because the course is too busy, it has not been completed. Today, today, it is already fast, and there are many big sites in the industry. It is also a lot of this situation. I have to write a summary of INJECTION INJITION Query. Cut off ...
I haven't much nonsense, we come today for red and a time SQL INJECTION attack method to make a secondary summary summary All SQL Query Statements This article summary is the MSSQL, which is the case for convenience, for the convenience of the employees, casually collect Reprint Don't give the author to give it a good :)
The query statement is the core operation of the database in the past year. The SQL INJECTION attack event he has also occupied in an informant format:
SELECT [All | Distinct] [, ] ...
From
[,
]
[WHERE ]
[Group by [Having ]]]]
[Order by [ASC | DESC]];
Oh, I saw it. It doesn't matter if you have any blood, explain it to you ...
The whole SELECT is meaningful
According to the condition of the WHERE clause, the basic table or view specified by the WHERE clause is found in the basic table or view of the FROM clause, and then according to the description of the target column expression in the SELECT clause, if there is The Group clause will result in the value of the value of the value of the value of the value equal to the group.
If the Group group has a Having phrase, only a group of groups that satisfy the specified condition. If there is a Order clause, the result is expressed as or descended in the .
Is it very abstract? It doesn't matter. We will give an example to assume that the database of evil eight-encyclopedia systems is the following
User table: EST_USER (UID, Name, PWD, Group)
UID is the user number of the article system staff; Name is the username of the article system staff; the PWD is a password column corresponding to the username; Group is a group in the article system
AID is the number of the article in the article; Aname is a column that stores article topics; ABODY is the column used to store the text of the article; ATIPS is the classification belonging to the article
Now let's use it to tell you how to use the query statement, if you have passed an example, you will come.
Single table query
Several queries in a choice table
1 Query the specified column to query the username and group where all staff
SELECT NAME, GROUP from Est_use;
2 Query all columns in detailed records of all staff
SELECT * form EST_USER;
The above sentence we often see in some source code is actually equivalent to select Uid, Name, PWD, Group from Est_user;
Several group groups in the two selection table
Originally, we are a simple summary. I don't want to talk about it. Unfortunately, I think there are some time I can't open it. I am also depressed. Let's take a look.
1 Query the metabits that meet the conditions
Here we mainly talk about larger size and determination range ...
(1) relatively small
We looked at this statement Select Name, uid from est_user where uid <10; it means querying all user numbers less than 10 article system staff user name and user number, you are using SELECT NAME, UID from Est_user WHERE NOT UID> = 10;
(2) Determine the range let us query the user number between 5 and 10 (including 5 and 10) in the article system user data table. You can use the following statement.
Select Name, UID, Group from Est_User Where Uid BetWeen 5 and 10;
Then how do we say that between 5 and 10? Ha ha, just use not between, you can say that the ice and blood is not detailed ...
(3) Multiple conditions
Logical operators AND and OR can be used to connect multiple query criteria for additional AND OR, but you can use parentheses to change this priority
We will give you an example ... We have to query all user numbers in the bamboo group to 10 or less users' usernames, how should we construct this statement? Hehe I wrote, I'm still troublesome enough ... Construction is as follows
Select name from est_user where group = 'moderators' and uid <10; I have to touch more about OR, you have to fain, haha ...
Nested query
In SQL, a select-from-select statement is a query block, nested a query block in another query block, or a query in the condition of the Having phrase, is a nested query is actually a bit for INJECTION. So here, talk about him ...
such as:
Select Name
From est_user
WHERE Uid in
SELECT UID
From est_art
WHERE AID = '8';
In this way, we will see the first select name from est_user where uid = ''; this sentence is the name of the UID column value equal to a specified value in the Est_User table.
And SELECT UID from Est_art where Aid = '8'; means that the UID of the article of the article in the EST_ART table in the EST_ART table has completed the UID to complete the nesting query. .
A word query with an exists predicate
In fact, there are several kinds in this category, but why do I just say EXISTS? Because it is used in a relatively large number of GGDDs, I like to use it with INJECTION, I don't query. I don't query. I don't query. Just put the database. I don't want to check how to check you. LCX big brother Yeah? I have to learn about him ... I started to shoot the horse P. -_- |||
EXISTS represents the existing quantifier E (in fact, the flag is an anti-coming e but now I can't find a fake.) The word query with the exists predicate does not return any data only to generate a logical true and false value TRUE or False
I don't have this that I am injected into the reason for it ...
Query all the staff named by the atips article property for Tech
Select Name from Est_user WHERE EXISTS (SELECT * from est_art where uid = EST_USER.UID and atips = 'tech');
After using the exists, if the inner query result is not empty, the outer WHERE clause returns the true value, otherwise, the expression of the subquery target column that is returned by Exists is generally used. Because this query is only returned. There is no meaning of the column name ...
Collection query
Finally, let's talk about the legendary Union inquiry, I haven't had time to summarize this time, I have to come here, I have to be here, I have to succinct, haha, write articles, summarize the degree experience is a very happy thing. Is it like a small road that is full of flowers? Haha, since the temporary actor Xiaolu appeared, let's introduce it! It is also a cattle who introduces: P
In fact, the collection query is not only Union, but we just say union? Hacking is used, huh, huh.
Examples of examples
If we want to query the users of the bamboo group and the user number, the user who is not more than 8, then we query this is this and set how to construct a statement Select * from est_user where group = 'moderatrs' union selection * from est_user where uid <= 8 ;
Haha seems to be very difficult. It is necessary to see how everyone uses it ...
Ok this little summary, I will tell a period of hope that learners who read this article can be honest, which is also very gratified, and it is very gratified.
Article I wrote that if there is a mistake I don't say it, I have a fate. I have been looking for it ... I got to see you :)
