substring()
mysql> select substring('abc',1,1);
+----------------------+
| substring('abc',1,1) |
+----------------------+
| a |
+----------------------+
1 row in set (0.00 sec)
mid()
mysql> select mid((select database()),1,1);
+------------------------------+
| mid((select database()),1,1) |
+------------------------------+
| s |
+------------------------------+
1 row in set (0.00 sec)
right()
mysql> select right((select database()),2);
+------------------------------+
| right((select database()),2) |
+------------------------------+
| ty |
+------------------------------+
1 row in set (0.00 sec)
mysql> select right('abcd',2);
+-----------------+
| right('abcd',2) |
+-----------------+
| cd |
+-----------------+
left()
mysql> select left('abcd',2);
+----------------+
| left('abcd',2) |
+----------------+
| ab |
+----------------+
1 row in set (0.00 sec)
regexp
# ^ 从最第一个字符开始匹配,右边的匹配字符 可以是 hex
mysql> select database();
+------------+
| database() |
+------------+
| security |
+------------+
1 row in set (0.00 sec)
mysql> select (select database()) regexp '^s';
+---------------------------------+
| (select database()) regexp '^s' |
+---------------------------------+
| 1 |
+---------------------------------+
1 row in set (0.00 sec)
区分大小写 binary
mysql> select (select database()) regexp binary '^S';
+----------------------------------------+
| (select database()) regexp binary '^S' |
+----------------------------------------+
| 0 |
+----------------------------------------+
1 row in set (0.00 sec)
rlike
mysql> select 'abcd' rlike '^ab';
+--------------------+
| 'abcd' rlike '^ab' |
+--------------------+
| 1 |
+--------------------+
1 row in set (0.00 sec)
mysql> select 'abcd' rlike binary '^aB';
+---------------------------+
| 'abcd' rlike binary '^aB' |
+---------------------------+
| 0 |
+---------------------------+
1 row in set (0.00 sec)
ord 和 ascii
返回最左边的 hex,配合字符串截取使用
mysql> select ord('ab');
+-----------+
| ord('ab') |
+-----------+
| 97 |
+-----------+
1 row in set (0.00 sec)
mysql> select ascii('ab');
+-------------+
| ascii('ab') |
+-------------+
| 97 |
+-------------+
1 row in set (0.02 sec)
mysql> select substr('abc' from 2 for 1);
+----------------------------+
| substr('abc' from 2 for 1) |
+----------------------------+
| b |
+----------------------------+
1 row in set (0.00 sec)
mysql> select ord(substr('abc' from 1 for 1));
+---------------------------------+
| ord(substr('abc' from 1 for 1)) |
+---------------------------------+
| 97 |
+---------------------------------+
1 row in set (0.00 sec)
trim()
//前导 删除,返回字符串,支持hex
mysql> select trim(leading 'd' from 'abc')=trim(leading 'e' from 'abc');
+-----------------------------------------------------------+
| trim(leading 'd' from 'abc')=trim(leading 'e' from 'abc') |
+-----------------------------------------------------------+
| 1 |
+-----------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select trim(leading 'd' from 'abc')=trim(leading 'a' from 'abc');
+-----------------------------------------------------------+
| trim(leading 'd' from 'abc')=trim(leading 'a' from 'abc') |
+-----------------------------------------------------------+
| 0 |
+-----------------------------------------------------------+
1 row in set (0.00 sec)
insert()
mysql> select insert((insert('abcde',1,0,'')),2,9999,'');
+--------------------------------------------+
| insert((insert('abcde',1,0,'')),2,9999,'') |
+--------------------------------------------+
| a |
+--------------------------------------------+
1 row in set (0.00 sec)
mysql> select insert((insert('abcde',1,1,'')),2,9999,'');
+--------------------------------------------+
| insert((insert('abcde',1,1,'')),2,9999,'') |
+--------------------------------------------+
| b |
+--------------------------------------------+
1 row in set (0.00 sec)
insert 不使用 引号
database() = 'security'
?id=1' and strcmp(insert(database(),3,99,0x00),0x736500) --+