select''-''是什么意思 [英] what is the meaning of select ''-''

问题描述

有一篇关于SQL注入的文章:滥用 MySQL 字符串算法进行微小的 SQL 注入

There is an article about SQL injection: Abusing MySQL string arithmetic for tiny SQL injections

问题是，select ''-'' 是什么意思?我用 MySQL 试了一下，它返回:

The question is, what is the meaning of select ''-'' ? I try it with MySQL, and it returns:

mysql> select ''-'';
+-------+
| ''-'' |
+-------+
|     0 |
+-------+
1 row in set (0.00 sec)

发生了什么?0是什么意思?

What happend? What means that 0?

以及select '-'的结果:

mysql> select '-';
+---+
| - |
+---+
| - |
+---+
1 row in set (0.00 sec)

我对这些结果感到非常困惑.

I am very confused about these result.

推荐答案

你从一个空字符串 '' 减去 - 到另一个:

You are minus - from one empty string '' to other:

请参阅以下内容:

mysql> select '';
+--+
|  |
+--+
|  |
+--+
1 row in set (0.00 sec)  

mysql> select '3'-'2';
+---------+
| '3'-'2' |
+---------+
|       1 |
+---------+
1 row in set (0.00 sec)

但是如果它不是数字字符串，则警告:

But warning if its not a number string:

mysql> select 'a'-'b';
+---------+
| 'a'-'b' |
+---------+
|       0 |
+---------+
1 row in set, 2 warnings (0.00 sec)    

两个警告:

mysql> SHOW WARNINGS LIMIT 2
    -> ;
+---------+------+---------------------------------------+
| Level   | Code | Message                               |
+---------+------+---------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: 'a' |
| Warning | 1292 | Truncated incorrect DOUBLE value: 'b' |
+---------+------+---------------------------------------+
2 rows in set (0.00 sec)  

为什么empty 字符串没有警告?

Why no warning for empty string?

因为它的(casted something) 0 见下:

Where as there is no warning for empty string because its(casted something) 0 see below:

mysql> SELECT 0 = '';
+--------+
| 0 = '' |
+--------+
|      1 |
+--------+
1 row in set (0.00 sec)   

因此通过执行 ''-'' 你正在做 0 - 0

hence by doing ''-'' you are doing 0 - 0

mysql> SELECT '' - '';
+---------+
| '' - '' |
+---------+
|       0 |
+---------+
1 row in set (0.00 sec)  

为了更清楚，我添加了以下示例(我觉得对您有帮助):
转化是如何发生的:

To be more clear I am adding following example (I feels will be helpful to you):
How conversion happen:

mysql> SELECT '0' = 0
    -> ;
+---------+
| '0' = 0 |
+---------+
|       1 |
+---------+
1 row in set (0.00 sec)  

注意它的转换:

mysql> SELECT '' = '0'
    -> ;
+----------+
| '' = '0' |
+----------+
|        0 |
+----------+
1 row in set (0.00 sec)  

''转换成0，'0'转换成0但'' 不等于 '0'

'' converted into 0, '0' converted into 0 but '' not equals to '0'

mysql> SELECT '1' = 1
    -> ;
+---------+
| '1' = 1 |
+---------+
|       1 |
+---------+
1 row in set (0.00 sec)

mysql> SELECT '' = 1
    -> ;
+--------+
| '' = 1 |
+--------+
|      0 |
+--------+
1 row in set (0.00 sec) 

这篇关于select''-''是什么意思的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！