Htmlspecialchars ()

Htmlspecialchars () only encodes double quotes by default, so normal Htmlspecialchars ($STR) cannot filter single quotes, resulting in injection.
  
 

 
   
  
 
   
 
    
Parameters
 
    
Describe
 
   
 
   
 
    
String
 
    
Necessary. Specifies the string to convert.
 
   
 
   
 
    
Flags
 
    
Optional. Specifies how to handle quotes, invalid encodings, and which document type to use. Types of quotes available: • Ent_compat-Default. Encodes only double quotes. • Ent_quotes-encodes double and single quotes. • Ent_noquotes-do not encode any quotation marks. Invalid encoding: • Ent_ignore-The invalid encoding is ignored, instead of having the function return an empty string. Should be avoided as this may have an impact on security. Ent_substitute-instead of returning an empty string, replace the invalid encoding with a specified character with the Unicode substitution character u+fffd (UTF-8). Ent_disallowed-Replaces the invalid code point in the specified document type with the Unicode substitution character u+fffd (UTF-8) or. Additional flags: for the specified document type ent_html401-Default. Processing code as HTML 4.01. ENT_HTML5-Processing code as HTML 5. ENT_XML1-processing code as XML 1. Ent_xhtml-as XHTML processing code.
 
   
 
  

  
 
<?php$a=$_get[' A '];echo htmlspecialchars ($a);
When 1.php?a=1%27%22%27 output 1 ' "' instance: in Beecms v4.0_r_20150708 the admin/login.php code is as follows:
ElseIf ($action = = ' Ck_login ') {global $submit, $user, $password, $_sys, $code; $submit =$_post[' submit ']; $user =fl_html ( Fl_value ($_post[' user ')), $password =fl_html (fl_value ($_post[' password ')), $code =$_post[' code '];if (!isset ($ Submit) {msg (' Please enter from the landing page ')} if (Empty ($user) | | Empty ($password)) {msg ("Password or user name cannot be empty");} if (!empty ($_sys[' Safe_open ')) {foreach ($_sys[' Safe_open '] as $k = = $v) {if ($v = = ' 3 ') {if ($code! = $s _code) {msg (" The verification code is incorrect ");}}} Check_login ($user, $password), $user =fl_html (fl_value ($_post[' user ")), $password =fl_html (fl_value Password ']));
Received by post and processed by Fl_value and fl_html. Under the includes/fun.php
function Fl_value ($STR) {if (empty ($STR)) {return;} Return preg_replace ('/select|insert | update | and | in | on | left | joins | Delete |%| =|/*|*|.. /|. /| Union | from | where | Group | Into |load_file|outfile/i ', ', $str);} Define (' Inc_bees ', ' B '. EE '. ' SCMS '), function fl_html ($str) {return htmlspecialchars ($STR);} Fl_value Filters the keyword fl_html using htmlspecialchars only filters the double quote function check_login ($user, $password) {$rel = $GLOBALS [' MySQL ']-> FETCH_ASC ("Select Id,admin_name,admin_password,admin_purview,is_disable from". Db_pre. " admin where Admin_name= ' ". $user." ' Limit 0,1 ');
Causes the introduction of single quotes to inject and in the regular filter union and on using Unionon can bypass the other keywords double write can bypass

View Original: http://www.am0s.com/functions/181.html

Htmlspecialchars ()