SQL injection that bypasses mysql_real_escape_string() under certain circumstances
Although mysql_real_escape_string() is generally believed to eliminate SQL injection vulnerabilities, it may still be bypassed in some special cases.
Vulnerability Analysis
Under certain scenarios, an attacker can exploit a flaw in mysql_real_escape_string() that occurs when the character set of the database connection is chosen to support both ASCII characters' and '(e.g., gbk, sjks).
An attacker can construct a payload containing an invalid multibyte character sequence (e.g., xbfx27), which when processed through mysql_real_escape_string() results in an unescaped ' character. Therefore, when inserted into a query, it results in SQL injection.
Example
Consider the following PHP code:
<code class="language-php">$login = mysql_real_escape_string($_POST['login']); $password = mysql_real_escape_string($_POST['password']); $sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";</code>
If an attacker sets the value of $_POST['login'] to \xbf\x27 OR 1=1 /*, they can bypass the protection of mysql_real_escape_string() and retrieve all rows in the table.
Mitigation Measures
To mitigate this vulnerability, be sure to:
mysql_set_charset() or the DSN character set parameter of PDO. The above is the detailed content of Can SQL Injection Bypass `mysql_real_escape_string()` Under Specific Character Set Conditions?. For more information, please follow other related articles on the PHP Chinese website!
SpringBoot project building steps
What are the css3 gradient properties?
Usage of fopen function in Matlab
How to solve the problem that the msxml6.dll file is missing
How to use the large function
Three major frameworks for android development
Word page number starts from the third page as 1 tutorial
Three major characteristics of java
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
