Difference between the PHP function addslashes and mysql_real_escape_string
- Create table users (
- Username VARCHAR (32) character set gbk,
- Password VARCHAR (32) character set gbk,
- Primary key (username)
- );
In this example, when only addslashes (or magic_quotes_gpc) is used to escape the queried data:
- $ Mysql = array ();
- $ Db = mysqli_init ();
- $ Db-> real_connect ('localhost', 'lorui ', 'lorui. com', 'lorui _ db ');
- /* SQL injection example */
- $ _ POST ['username'] = chr (0xbf ). chr (0 × 27 ). 'OR username = username/*'; $ _ POST ['password'] = 'Guess '; $ mysql ['username'] = addslashes ($ _ POST ['username']); $ mysql ['password'] = addslashes ($ _ POST ['password']); $ SQL = "SELECT * FROM users WHERE username = '{$ mysql ['username']}' AND password = '{$ mysql ['password']}'"; $ result = $ db-> query ($ SQL); if ($ result-> num_rows) {/* succeeded */} else {/* failed */}
Even if addslashes is used, you can log on successfully without knowing the user name and password. This vulnerability can be easily exploited for SQL injection. To avoid this vulnerability, use mysql_real_escape_string, the Prepared statement (Prepared Statements, I .e. "parameterized query"), or any mainstream database abstract class library. |