The difference between PHP function addslashes and mysql_real_escape_string _php instance

Source: Internet
Author: User
Tags chr sql injection sql injection sample

First: Do not use mysql_escape_string, it has been deprecated, please use mysql_real_escape_string instead of it.

The difference between mysql_real_escape_string and addslashes is:

Difference One:

Addslashes does not know anything about the MySQL connection's character set. If you pass a string of code other than the byte code to the MySQL connection you are using, it will be nice to escape all the characters ', ', \ and \x00 bytes. If you are using other characters that are different from 8-bit and UTF-8, the values of these bytes may not all represent characters ', ', \ and \x00. As a result, MySQL receives these characters and an error occurs.

If you want to fix this bug, try using the Iconv function to convert the variable to UTF-16 and then escape using Addslashes.

This is one of the reasons to escape without using addslashes.

Difference Two:

In contrast to Addslashes, mysql_real_escape_string also escapes \ r, \ n, and \x1a. It seems that these characters must be correctly told to MySQL, otherwise you will get the wrong query results.

This is another reason to escape without using addslashes.

Addslashes V.s. mysql_real_escape_string

In GBK, 0xbf27 is not a legitimate character of multiple characters, but 0xbf5c is. In a single-byte environment, 0xbf27 is considered 0xbf followed by 0x27 ('), while 0xbf5c is considered 0XBF followed by 0x5c (\).

A single quote that is escaped with a backslash is not effective in preventing SQL injection attacks against MySQL. If you use Addslashes, then I'm lucky (the attacker, the same below). I just inject something like 0xbf27 and then addslashes it to 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can ignore your escape and successfully inject a single quote. This is because 0XBF5C is treated as a single-byte character, not a double byte.

In this demo, I will use the MySQL 5.0 and PHP mysqli extensions. If you want to try, make sure you use GBK.

Create a table named users:

Copy Code code as follows:

CREATE TABLE Users (
Username VARCHAR () CHARACTER SET GBK,
Password VARCHAR () CHARACTER SET GBK,
PRIMARY KEY (username)
);

The following code simulates the case where the query data is escaped using only addslashes (or MAGIC_QUOTES_GPC):
Copy Code code as follows:

<?php
$mysql = Array ();
$db = Mysqli_init ();
$db->real_connect (' localhost ', ' lorui ', ' lorui.com ', ' lorui_db ');
/* SQL Injection Sample * *
$_post[' username ' = Chr (0XBF). Chr (0x27). ' or username = username/* '; $_post[' password '] = ' guess '; $mysql [' username '] = addslashes ($_post[' username ']); $mysql [' password '] = addslashes ($_post[' password ']); $sql = "SELECT * from users WHERE username = ' {$mysql [' username ']} ' and password = ' {$mysql [' Password ']} '"; $result = $db->query ($sql); if ($result->num_rows) {/* Success/else {/* failure/}

Despite the use of addslashes, I can successfully log in without knowing the username and password. I can easily use this vulnerability for SQL injection.

To avoid this vulnerability, use mysql_real_escape_string, prepare statements (Prepared statements, or "parameterized queries") or any of the mainstream database abstract class libraries.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.