How Can SQL Injection Bypass `mysql_real_escape_string()`?

Using invalid multi -section characters to bypass

Function for SQL injection mysql_real_escape_string() Even if the function is used, SQL injection may occur. The following steps demonstrate how to bypass this function:

mysql_real_escape_string()

Set the server character set as the coding that is easy to be attacked:

1. The attack load containing an invalid multi -byte character:

   <code class="language-sql">mysql_query('SET NAMES gbk');</code>

2. Using an unprepared attack load to perform query:

   <code class="language-php">$var = mysql_real_escape_string("\xbf\x27 OR 1=1 /*");</code>

3. The rotation operation of the function depends on the character set used in currently used. However, in this example, the connection uses the character set (such as GBK) that is easy to be attacked, allowing the creation of invalid multi -line characters. Therefore, the injection load has not been correctly transferred, resulting in successful injection attacks.

   Safety measures

   <code class="language-sql">mysql_query("SELECT * FROM test WHERE name = '$var' LIMIT 1");</code>

In order to prevent such injection attacks, be sure to take the following measures:

mysql_real_escape_string()

Safe characters:

Select character sets that are not easy to be attacked, such as UTF8 or Latin1. Enable NO_BACKSLASH_ESCAPES SQL mode:

This will prevent invalid characters in the process of rotation.

Use PDO and disable simulation pre -processing statements:

PDO provides real pre -processing sentences to prevent potential injection vulnerabilities.
• The new version of mysql (5.1 or higher version): These versions fix the vulnerabilities that allow the above -mentioned injection attack.

The above is the detailed content of How Can SQL Injection Bypass `mysql_real_escape_string()`?. For more information, please follow other related articles on the PHP Chinese website!