SQL Injection bypasses single quotes

In the case of magic_quotes_gpc = On, if the submitted parameter contains single quotation marks, it will be automatically escaped \ ', making many injection attacks invalid,

GBK dual-byte encoding: a Chinese character is expressed in two bytes. The first byte corresponds to 0x81-0xFE, And the last byte corresponds to 0x40-0xFE (except 0 x 7F ), it just covers the Escape Character \ Corresponding encoding 0 × 5C.

0xD50 × 5C corresponds to the Chinese character "sincerity". The URL encoding uses the hexadecimal notation of the percent sign and the character, so % d5 % 5c is "sincerity" after URL Decoding ".
The following describes the attack process:

Accessing http://www.2cto.com/test. php? Username = test % d5 '% 20or % 201 = 1% 23 & pwd = test

Browser-encoded username parameter value: (single quotation mark encoding: 0 × 27)

Username = test % d5 % 27% 20or % 201 = 1% 23

Php url Decoding

Username = test 0xd5 0x27 0x20 or 0x20 1 = 1 0x23 (for ease of reading, a space is added between the string and hexadecimal encoding)

Automatically escaped by the GPC in PHP (0 × 27 single quotes are converted to \ 'corresponding encoding 0 × 5c0 × 27 ):

Username = test 0xd5 0 x 5c 0x27 0x20 or 0x20 1 = 1 0x23

Set names 'gbk' during database initialization, 0xd50 × 5c after decoding, 0 × 27 After decoding, and 0 × 20 as space, 0 × 23 is the mysql annotator #

The preceding SQL statement is: SELECT * FROM user WHERE username = 'test cheng' or 1 = 1 # 'and password = 'test ';

Annotator # The string following it is invalid. It is equivalent

SELECT * FROM user WHERE username = 'test cheng' or 1 = 1;

The condition becomes permanent, and the injection is successful.

Supplement:

0xD50 × 5C is not the only character that can be escaped without single quotation marks. It should be applicable to the characters starting with 0 × 81-0xFE + 0 × 5C;

There is no such problem according to the encoding range of utf8;

This transformation can also be applied in xss and other fields, for example, the server is in GBK encoding format.
 
If ($ this-> server_info ()> '4. 1 ′){

// Mysql_query ("set names 'gbk '");

Mysql_query ("SET character_set_connection = 'gbk', character_set_results = 'gbk', character_set_client = binary ");

}