Home >Backend Development >PHP Tutorial >The mysql_real_escape_string() function is handled differently in different versions of PHP!
It was found that mysql_real_escape_string() behaves differently in different php versions. When I read security development documents online, the document said that before using mysql_real_escape_string() correctly, you need to specify the mysql connection character set, that is, use the mysql_set_charset() function. If the character set is not specified and the character encoding used is a wide character similar to GBK, it may cause Wide character injection.
Here I did a small experiment. I only used mysql_real_escape_string() and did not use the mysql_set_charset() function to specify the current connection character set. When the PHP version is 5.2.17, the wide character injection can be successful; when the PHP version is 5.3 At .29, wide character injection failed. Check the mysql log and it shows that wide characters have also been escaped.
Code:
<code>$conn = mysql_connect('localhost', 'root', 'root') or die('bad!'); mysql_query("SET NAMES 'GBK'"); mysql_select_db('test', $conn) OR emMsg("连接数据库失败,未找到您填写的数据库"); if(get_magic_quotes_gpc()){ $id = isset($_GET['id']) ? mysql_real_escape_string(stripslashes($_GET['id'])) : 1; }else{ $id = isset($_GET['id']) ? mysql_real_escape_string($_GET['id']) : 1; } //执行sql语句 $sql = "SELECT * FROM news WHERE tid='{$id}'"; $result = mysql_query($sql, $conn) or die(mysql_error()); ?></code>
mysql log when using php version 5.2.17:
<code> 2 Query SET NAMES 'GBK' 2 Init DB test 2 Query SELECT * FROM news WHERE tid='-1ࠜ' union select null,concat(name,0x40,pass),null from admin#' 2 Quit</code>
mysql log when using php version 5.3.29:
<code> 1 Query SET NAMES 'GBK' 1 Init DB test 1 Query SELECT * FROM news WHERE tid='-1\ࠜ' union select null,concat(name,0x40,pass),null from admin#' 1 Quit </code>
My question here is, is it not necessary to use mysql_set_charset() to specify the connection character set when the PHP version is 5.3.29? How to judge if it is not needed! ! ! !
It was found that mysql_real_escape_string() behaves differently in different php versions. When I read security development documents online, the document said that before using mysql_real_escape_string() correctly, you need to specify the mysql connection character set, that is, use the mysql_set_charset() function. If the character set is not specified and the character encoding used is a wide character similar to GBK, it may cause Wide character injection.
Here I did a small experiment. I only used mysql_real_escape_string() and did not use the mysql_set_charset() function to specify the current connection character set. When the PHP version is 5.2.17, the wide character injection can be successful; when the PHP version is 5.3 At .29, wide character injection failed. Check the mysql log and it shows that wide characters have also been escaped.
Code:
<code>$conn = mysql_connect('localhost', 'root', 'root') or die('bad!'); mysql_query("SET NAMES 'GBK'"); mysql_select_db('test', $conn) OR emMsg("连接数据库失败,未找到您填写的数据库"); if(get_magic_quotes_gpc()){ $id = isset($_GET['id']) ? mysql_real_escape_string(stripslashes($_GET['id'])) : 1; }else{ $id = isset($_GET['id']) ? mysql_real_escape_string($_GET['id']) : 1; } //执行sql语句 $sql = "SELECT * FROM news WHERE tid='{$id}'"; $result = mysql_query($sql, $conn) or die(mysql_error()); ?></code>
mysql log when using php version 5.2.17:
<code> 2 Query SET NAMES 'GBK' 2 Init DB test 2 Query SELECT * FROM news WHERE tid='-1ࠜ' union select null,concat(name,0x40,pass),null from admin#' 2 Quit</code>
mysql log when using php version 5.3.29:
<code> 1 Query SET NAMES 'GBK' 1 Init DB test 1 Query SELECT * FROM news WHERE tid='-1\ࠜ' union select null,concat(name,0x40,pass),null from admin#' 1 Quit </code>
My question here is, is it not necessary to use mysql_set_charset() to specify the connection character set when the PHP version is 5.3.29? How to judge if it is not needed! ! ! !
This has nothing to do with the PHP version. The mysql and mysqli extensions are developed directly using C language, and the third-party library of mysql is also provided through the C API.
So, this should be related to the version of mysql.dll, which is the version of mysql lib.
The extended version of mysql can be obtained using the mysql_get_client_info()
function.
As for your question, you can refer to the MySQL developer manual: 23.8.7.53 mysql_real_escape_string()