Community
Learn
Tools Library
AI Tools
Leisure
search
English
Home > Database > Mysql Tutorial > Can SQL Injection Still Occur Even with `mysql_real_escape_string()`?

Can SQL Injection Still Occur Even with `mysql_real_escape_string()`?

DDD
Release: 2025-01-25 21:18:11
Original
547 people have browsed it

Can SQL Injection Still Occur Even with `mysql_real_escape_string()`?

Even if you use mysql_real_escape_string (), the sql injection may still occur

Although it is generally believed that mysql_real_escape_string () can prevent SQL injection, in specific cases, SQL injection may still happen. The following explains how this attack happened:

    character set selection:

  1. Set the server character set to allow the ASCII back slope (0x5C) and the invalid multi -line character character set (for example, GBK). This can be implemented through the Set Names statement.

    Effective load Construction:

  2. Create an effective load starting with 0xbf27. In the specified character set (for example, GBK), this means an invalid multi -line character that will be converted to 0x27 (skimp) in Latin1.

      • mysql_real_escape_string () Operation:

  3. mysql_real_escape_string () based on connected character sets (GBK) operations, rather than the client faked character set (Latin1). It will be effective to be valid to 0x5c27. However, because the client still believes that it uses Latin1, the backslash (0x5C) is still unprofitable.

    • Query execution:
  4. The rendering query contains an unprepared skimmer in the content of the righteousness, which leads to a successful injection attack.

      PDO and MySQLI vulnerabilities:
    5. PDO's default use of analog pre -processing statements, which is easily attacked.

MySQLI is not affected because it uses a real pre -processing statement.

Relieve measures:
  • Use non -attacking character sets to connect coding (for example, UTF8).
Use MySQL_SET_CHARSET () / PDO DSN character set parameters Correctly set the connection character set.

Disable simulation pre -processing statements in PDO.

    The following conditions are verified:
  • Modern mysql version with the correct character set management
  • or use non -vulnerable character sets

You can reduce this potential loophole.

The above is the detailed content of Can SQL Injection Still Occur Even with `mysql_real_escape_string()`?. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Previous article:How to Select Only Rows with the Maximum Value in a Specific Column in SQL? Next article:Can SQL Injection Bypass `mysql_real_escape_string()` Due to Character Encoding Issues?
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
3
2604
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
11
2730
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
2320
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
2177
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
2283
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template