Web Security Magic quotes and injection types

One, Magic quotes 1. MAGIC_QUOTES_GPC variable

What is Magic Quotes

Warning
This feature has been deprecated since PHP 5.3.0 and will be removed from PHP 5.4.0.
When turned on, all ' (single quotes), "(double quotes), \ (backslash), and NULL characters are automatically added with a backslash to escape. This is exactly the same as the addslashes () function.

A total of three magic quote instructions:

MAGIC_QUOTES_GPC affects HTTP request data (Get,post and cookies). Cannot be changed at run time. The default value in PHP is on. See GET_MAGIC_QUOTES_GPC ().
Magic_quotes_runtime if open, most of the functions that get data from external sources and return the data, including from the database and text files, are escaped by backslashes. This option can be changed at run time, and the default value in PHP is off. See Set_magic_quotes_runtime () and Get_magic_quotes_runtime ().
Magic_quotes_sybase if turned on, single quotes are escaped using single quotes instead of backslashes. This option will completely overwrite the MAGIC_QUOTES_GPC. If you open two options at the same time, the single quotes will be escaped to '. Double quotes, backslashes, and NULL characters are not escaped. How to get its value see Ini_get ().

2. Addslashes () function

addslashes-referencing strings with backslashes

Description?

String Addslashes (String $str)
Returns a string that is preceded by a backslash in order for the database query statement to be preceded by some characters. These characters are single quotes ('), double quotation marks ("), backslashes (\), and NUL (the NULL character).

An example of using addslashes () is when you want to enter data into the database. For example, the name O ' Reilly is inserted into the database, which needs to be escaped. It is strongly recommended to use the escaped function specified by the DBMS (for example, MySQL is mysqli_real_escape_string () and PostgreSQL is pg_escape_string ()), but if you are using a DBMS that does not have an escape function and uses the \ to escape special characters, you can use this function. Just to get the data inserted into the database, the extra \ is not inserted. When PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' to escape.

PHP 5.4 before PHP magic_quotes_gpc default is on, in fact, all get, POST and COOKIE data are used by Addslashes (). Do not use Addslashes () for strings that have been MAGIC_QUOTES_GPC escaped, because this results in double-layer escaping. You can use the function GET_MAGIC_QUOTES_GPC () to detect this situation.

Parameters?

Str
The character to be escaped.

return value?

Returns the escaped character.

3. Bypass mode

Using wide byte injection under GBK encoding:%DF

Second, injection type 1. Digital injection:

Demo code: $sql = "SELECT * from news where id= $id"
After incoming: $sql = "SELECT * FROM news where id=1"
Bypass mode: Direct injection
Bypass code: $sql = "SELECT * FROM News where id=1 Union select"

2. Character type injection:

Demo code: $sql = "SELECT * from news where id= ' $name '"
After incoming: $sql = "SELECT * from news where id= ' Xiaodi '"
Bypass mode: Closed before and after single quotation marks
Bypass mode: $sql = "SELECT * from news where id= ' Xiaodi ' union Select and ' 1 ' = ' 1 '"

3. Search-Type injection:

Demo code: $sql = "SELECT * from news where name '% $username% ' ORDER by name '
After incoming: $sql = "SELECT * from news where name is like '%xiaodi% ' ORDER by name"
Bypass mode: close% regular symbol and single quotation mark
Bypass mode: $sql = "SELECT * from the news where name like '%xiaodi% ' union select" + "and '% ' = '% ' ORDER by name"

End.

Web Security Magic quotes and injection types