Is addslashes() a Reliable Defense Against SQL Injection Attacks in PHP?

Understanding SQL Injections via addslashes()

In PHP, addslashes() is often compared to mysql_real_escape_string as a security measure against SQL injections. While both can assist in safeguarding data, examples demonstrate that addslashes() might permit exploitations.

One method an attack can occur is by manipulating addslashes() to incorporate a backslash into a multibyte character. As a result, the backslash's protective role is neutralized, and a malicious query can be constructed.

For example, consider the following query using addslashes():

$query = "SELECT * FROM users WHERE name = '" . addslashes($_GET['name']) . "'";

An attacker could pass the following as the "name" parameter:

'John Doe' OR 1 = 1 --

Normally, the single quote would be escaped by addslashes(). However, in this case, the attacker relies on the multibyte character "Ö". When "Ö" is encoded in UTF-8, it consists of three bytes: 0xC3, 0xB6, and 0x9C.

Addslashes() interprets the attacker's input as:

'John Doe' ÖR 1 \= 1 --

With the backslash placed within the multibyte character, addslashes() treats it as a continuation of the character rather than an escaping symbol. Consequently, the SQL query is not properly escaped, enabling the attacker to bypass security measures.

It's crucial to note that this type of attack only applies to character encodings where multibyte characters exist that end with 0x5c (the backslash character). UTF-8, however, does not conform to this, reducing its vulnerability to this specific attack vector.

The above is the detailed content of Is addslashes() a Reliable Defense Against SQL Injection Attacks in PHP?. For more information, please follow other related articles on the PHP Chinese website!