PHP double-byte and wide-byte encoding vulnerability

Use demo. php to display the effect. The Code is as follows:
 
<? Php
Header ("Content-Type: text/html; Charset = gb2312 ");
Echo $ _ GET ["str"]; // contaminated with gpc
Echi "<br/> ";
Echo addslashes ($ _ GET ["str"]); // call the addslashes function to filter harmful characters
?>
At this time, gpc = on. First view results

1) http: // 127.0.0.1/demo. php? Str = php

2) http: // 127.0.0.1/demo. php? Str = php'

(3) http://www.bkjia.com/demo. php? Str = % d5'

In instance 2, php is filtered by gpc and addslashes, but 3 does not.

This % d5 'can also be written as % d5 % 27. When % d5 'is submitted,' is escaped. The entire character is % d5 \ ', and \ is encoded as 5c.

While % d5 % 5c's 8-bit height is merged into the Chinese character encoding, \ is used illegally, and finally % d5 'is escaped and merged into the "encoding" to enter the SQL statement without filtering.

Author: lcx. cc