In-depth analysis of mysql pdo wide character SQL Injection

First, check the following code $ pdo-> query ('set NAMES gbk'); $ var = chr (0xbf ). chr (0x27 ). "OR 1 = 1/*"; $ query = "SELECT * FROM test WHERE name =? LIMIT 1 "; $ stmt = $ pdo-> prepare ($ query); $ stmt-> execute (array ($ var); 1. SET names x is equivalent to the following: SET character_set_client = x SET character_set_results = x SET character_set_connection = x 2. set payload www.2cto.com 3. in-depth analysis of mysql prepare is actually simulated by the local PHP client, and the character set is not adjusted according to your mysql settings. It is recommended that you perform prepare with the mysql server and call mysql_set_character_set to perform the operation so that the server can escape data according to the character set. The underlying layer of prepare locally simulated by php is mysql_real_escape_string. Therefore, you must use mysql_set_character_set to set mysql-> charset. Otherwise, Character Set problems may occur. That is to say, in php, mysql_real_escape_string in pdo prepare is called locally to operate the query. The local single-byte character set is used, that is, the encoding is \ xbf \ x5c \ x27, and the query is carried into mysql, because set names is used to set the connection Character set, mysql uses the internal operation Character set gbk for operations, run the "SELECT * FROM test WHERE name = 'xxx' or 1 = 1/* LIMIT 1" command to inject a successful solution: Use the mysql_set_character_set function to set the character set.