Home >Backend Development >PHP Tutorial >Can addslashes() in PHP Still Lead to SQL Injection Vulnerabilities?
Can addslashes() in PHP Still Lead to SQL Injection Vulnerabilities?
- Linda HamiltonOriginal
- 2024-12-02 15:46:12848browse
SQL Injection Exploits through addslashes() in PHP
PHP's addslashes() function is known to be less secure than mysql_real_escape when it comes to preventing SQL injection vulnerabilities. While addslashes() is often criticized for its limitations, it's important to understand how it can lead to successful attacks.
Example Scenario
Consider the following code attempting to sanitize user input:
$input = addslashes($_GET['input']); $query = "SELECT * FROM users WHERE username='$input'";
The issue with this code is that addslashes() doesn't handle multibyte characters correctly. If an attacker provides a username containing a multibyte character that ends with the backslash () character, addslashes() will insert a backslash into the middle of the sequence, breaking its validity. This can result in the backslash being interpreted as an escape character within the SQL query instead of escaping the following single quote.
An example of a malicious input that could exploit this vulnerability is:
%E4%B8%80' OR 1=1 --
addslashes() would convert this to:
%E4%B8%80\' OR 1=1 --
The escaped backslash () now becomes a valid part of the multibyte sequence, allowing the attacker to execute arbitrary SQL commands (in this case, to bypass authentication).
General Caveat
The vulnerability arises because addslashes() can be tricked into creating a valid multi-byte character rather than escaping a following single quote character. This occurs when the character encoding used includes a valid multi-byte character that ends with 0x5c (the hexadecimal code for the backslash character). While UTF-8 does not meet this condition, other encodings, such as Latin1, do. Therefore, it's crucial to be aware of this potential vulnerability when using addslashes() for input sanitization and consider using more robust alternatives like mysql_real_escape.
The above is the detailed content of Can addslashes() in PHP Still Lead to SQL Injection Vulnerabilities?. For more information, please follow other related articles on the PHP Chinese website!