Addslashes () Versus mysql_real_escape_string ()

Source: Internet
Author: User
Tags sql injection attack

Last month, I discussed Google's XSS Vulnerability and provided an example that demonstrates it. I was hoping to highlight why character encoding consistency is important, but apparently the addslashes () versus mysql_real_escape_string () debate continues. demonstrating Google's XSS vulnerability is pretty easy. demonstrating an SQL injection attack that is immune to addslashes () is a bit more involved, but still pretty straightforward.
 
In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. interpreted as single-byte characters, 0xbf27 is 0xbf (distinct) followed by 0x27 ('), and 0xbf5c is 0xbf (distinct) followed by 0x5c (\).
 
How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. if you're using addslashes (), however, I'm in luck. all I need to do is inject something like 0xbf27, and addslashes () modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. in other words, I can successfully inject a single quote despite your escaping. that's because 0xbf5c is interpreted as a single character, not two. oops, there goes the backslash.
 
I'm going to use MySQL 5.0 and PHP's mysqli extension for this demonstration. if you want to try this yourself, make sure you're using GBK. I just changed/etc/my. cnf, but that's because I'm testing locally:
 
Toggle Code View
[Client]
Default-character-set = GBK
 
Create a table called users:
 
Toggle Code View
Create table users (
Username VARCHAR (32) character set gbk,
Password VARCHAR (32) character set gbk,
Primary key (username)
);
 
The following script mimics a situation where only addslashes () (or magic_quotes_gpc) is used to escape the data being used in a query:
 
Toggle Code View
<? Php
 
$ Mysql = array ();
 
$ Db = mysqli_init ();
$ Db-> real_connect ('localhost', 'myuser', 'mypass', 'mydb ');
 
 
$ _ POST ['username'] = chr (0xbf ).
Chr (0x27 ).
'OR username = username
} Else {
 
}
 
?>
 
Despite the use of addslashes (), I'm able to log in successfully without knowing a valid username or password. I can simply exploit the SQL injection vulnerability.
 
To avoid this type of vulnerability, use mysql_real_escape_string (), prepared statements, or any of the major database contains action libraries.
 
This type of attack is possible with any character encoding where there is a valid multi-byte character that ends in 0x5c, because addslashes () can be tricked into creating a valid multi-byte character instead of escaping the single quote that follows. A UTF-8 does not fit this description.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.