DatabaseMysql TutorialCan SQL Injection Bypass `mysql_real_escape_string()` Due to Character Encoding Issues?Can SQL Injection Bypass `mysql_real_escape_string()` Due to Character Encoding Issues?
Using character encoding issues to bypass mysql_real_escape_string()’s SQL injection
Although the mysql_real_escape_string() function protects against SQL injection, it may be bypassed under certain circumstances.
Consider the following PHP code:
$login = mysql_real_escape_string(GetFromPost('login'));
$password = mysql_real_escape_string(GetFromPost('password'));
$sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";
This code appears to be safe, but it can be exploited due to edge cases in character set encoding.
Attack method:
The attack relies on the following steps:
- Set character set: Select an encoding (e.g., gbk) where the same sequence of bytes represents both non-ASCII characters and ASCII backslash ('').
- Constructing the payload: Use a carefully constructed payload that contains invalid multibyte characters, ensuring that its last byte represents an ASCII backslash.
-
calls
mysql_real_escape_string(): The client thinks the connection is using a different character set (e.g., latin1), somysql_real_escape_string()inserts a backslash before the single quote, resulting in a syntactically valid string. - Submit query: The escaped payload becomes part of the SQL statement, allowing the attacker to bypass intended protections.
How it works:
The key problem is that the character set expected by the server does not match what the client thinks it is. Although mysql_real_escape_string() is escaped according to the connection encoding set by the client, it will treat invalid multi-byte characters as single bytes in some cases, including cases where SET NAMES is used instead of mysql_set_charset().
Consequences:
This attack can bypass PDO's simulated prepared statements even if simulated prepared statements are disabled.
Remedy:
Using a non-vulnerable character set, such as utf8mb4 or utf8, can mitigate this problem. Enabling NO_BACKSLASH_ESCAPES SQL mode also provides protection.
Safe example:
Always set the charset correctly using mysql_set_charset() or PDO's DSN charset parameter. Real prepared statements in MySQLi are also immune to this attack.
Conclusion:
While mysql_real_escape_string() generally provides strong protection, it is important to be aware of potential edge cases like this to ensure complete protection against SQL injection.
The above is the detailed content of Can SQL Injection Bypass `mysql_real_escape_string()` Due to Character Encoding Issues?. For more information, please follow other related articles on the PHP Chinese website!
MySQL String Types: Storage, Performance, and Best PracticesMay 10, 2025 am 12:02 AMMySQLstringtypesimpactstorageandperformanceasfollows:1)CHARisfixed-length,alwaysusingthesamestoragespace,whichcanbefasterbutlessspace-efficient.2)VARCHARisvariable-length,morespace-efficientbutpotentiallyslower.3)TEXTisforlargetext,storedoutsiderows,
Understanding MySQL String Types: VARCHAR, TEXT, CHAR, and MoreMay 10, 2025 am 12:02 AMMySQLstringtypesincludeVARCHAR,TEXT,CHAR,ENUM,andSET.1)VARCHARisversatileforvariable-lengthstringsuptoaspecifiedlimit.2)TEXTisidealforlargetextstoragewithoutadefinedlength.3)CHARisfixed-length,suitableforconsistentdatalikecodes.4)ENUMenforcesdatainte
What are the String Data Types in MySQL?May 10, 2025 am 12:01 AMMySQLoffersvariousstringdatatypes:1)CHARforfixed-lengthstrings,2)VARCHARforvariable-lengthtext,3)BINARYandVARBINARYforbinarydata,4)BLOBandTEXTforlargedata,and5)ENUMandSETforcontrolledinput.Eachtypehasspecificusesandperformancecharacteristics,sochoose
How to Grant Permissions to New MySQL UsersMay 09, 2025 am 12:16 AMTograntpermissionstonewMySQLusers,followthesesteps:1)AccessMySQLasauserwithsufficientprivileges,2)CreateanewuserwiththeCREATEUSERcommand,3)UsetheGRANTcommandtospecifypermissionslikeSELECT,INSERT,UPDATE,orALLPRIVILEGESonspecificdatabasesortables,and4)
How to Add Users in MySQL: A Step-by-Step GuideMay 09, 2025 am 12:14 AMToaddusersinMySQLeffectivelyandsecurely,followthesesteps:1)UsetheCREATEUSERstatementtoaddanewuser,specifyingthehostandastrongpassword.2)GrantnecessaryprivilegesusingtheGRANTstatement,adheringtotheprincipleofleastprivilege.3)Implementsecuritymeasuresl
MySQL: Adding a new user with complex permissionsMay 09, 2025 am 12:09 AMToaddanewuserwithcomplexpermissionsinMySQL,followthesesteps:1)CreatetheuserwithCREATEUSER'newuser'@'localhost'IDENTIFIEDBY'password';.2)Grantreadaccesstoalltablesin'mydatabase'withGRANTSELECTONmydatabase.TO'newuser'@'localhost';.3)Grantwriteaccessto'
MySQL: String Data Types and CollationsMay 09, 2025 am 12:08 AMThe string data types in MySQL include CHAR, VARCHAR, BINARY, VARBINARY, BLOB, and TEXT. The collations determine the comparison and sorting of strings. 1.CHAR is suitable for fixed-length strings, VARCHAR is suitable for variable-length strings. 2.BINARY and VARBINARY are used for binary data, and BLOB and TEXT are used for large object data. 3. Sorting rules such as utf8mb4_unicode_ci ignores upper and lower case and is suitable for user names; utf8mb4_bin is case sensitive and is suitable for fields that require precise comparison.
MySQL: What length should I use for VARCHARs?May 09, 2025 am 12:06 AMThe best MySQLVARCHAR column length selection should be based on data analysis, consider future growth, evaluate performance impacts, and character set requirements. 1) Analyze the data to determine typical lengths; 2) Reserve future expansion space; 3) Pay attention to the impact of large lengths on performance; 4) Consider the impact of character sets on storage. Through these steps, the efficiency and scalability of the database can be optimized.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
Zend Studio 13.0.1
Powerful PHP integrated development environment
SublimeText3 Linux new version
SublimeText3 Linux latest version
