Use double-byte encoding to break PHP single quotes escape restrictions for SQL Injection

When magic_quotes_gpc in php. ini is set to on, the submitted parameters are escaped. For example, single quotes are escaped. All of a sudden, the routing of injection is truncated.
 
GBK dubyte encoding: a Chinese character is expressed in two bytes. The first byte corresponds to 0x81-0xFE, And the last byte corresponds to 0x40-0xFE (except 0x7F), which exactly covers the corresponding encoding 0x5C.
 
0xD5 0x5C corresponds to the Chinese character "yellow", so % d5 % 5c is "yellow" after URL Decoding ".
 
Therefore, after the parameter % d5 is submitted and automatically escaped by PHP, It is % d5 % 5c % 27 (escape as, corresponding to % 5c % 27). After URL Decoding, it becomes a token.
 
In this way, the restriction of single quotes escape is broken.
 
 
The local test is as follows:
 
 
The test script index. php is as follows:
 
 
 
<? Php
$ Conn = 0;
$ Conn = mysql_connect ("localhost", "root", "see2006 ");
If (! $ Conn)
{
Die ("cannot open the database connection, error:". mysql_error ());
}
 
// Select a database
Mysql_select_db ("test", $ conn );
 
// Set the character set of mysql output data
Mysql_query ("set names gbk ");
 
$ SQL = "select * from news where content like %". $ _ REQUEST [k]. "% ";
Echo "Current SQL statement:". $ SQL. "<br/> ";
 
$ Result = mysql_query ($ SQL, $ conn );
 
If (! $ Result)
Echo mysql_error ();
 
While ($ result & $ row = mysql_fetch_array ($ result ))
{
Echo "$ row [title] <br/> ";
}
?>
 
 
 
 
The search keyword is blank. All entries are displayed.
 
 
 
 
PHP automatically escapes single quotes
 
 
 
 
An error occurred while using double-byte encoding to bypass PHP escaping.
 
 
 
 
Correct syntax using the # annotated SQL statement
 
 
 
 
Number of union guess fields and positions of displayed Fields
 
 
 
 
View Current user in union
 
 
 
 
View the current database name in union
 
 
 
 
View test database table names in union
 
 
 
 
View the name field value of the user table in union
 
 
 
 
Union: view the pass field value of the user table