Menu
On http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/?akst_action=share-this , there is a section that claims you can bypass mysql_real_escape_string with certain Asian character encodings
Bypassing mysql_real_escape_string() with BIG5 or GBK
"injection string"
に関する追加情報:the above chars are Chinese Big5
Is this really true? And if so, how would you protect your website against this, if you had no access to prepared statements?
241
mysql_real_escape_string is safe to use if used properly (ie, everywhere you're inserting PHP variables into your queries), but as has been pointed out in the comments it's not the only thing you need to worry about. For example, HTML markup could be inserted into your DB and used for Cross Site Scripting attacks.
mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet).
It does not prevent other injections like HTML injection or Cross-Site Scripting (XSS).
The real_escape_string() / mysqli_real_escape_string() function escapes special characters in a string for use in an SQL query, taking into account the current character set of the connection.
According to Stefan Esser, "mysql_real_escape_string() [is] not safe when SET NAMES is used."
His explanation, from his blog:
SET NAMES is usually used to switch the encoding from what is default to what the application needs. This is done in a way that
mysql_real_escape_stringdoesn’t know about this. This means if you switch to some multi byte encoding that allows backslash as 2nd 3rd 4th… byte you run into trouble, becausemysql_real_escape_stringdoesn’t escape correctly. UTF-8 is safe…Safe way to change encoding is
mysql_set_charset, but that is only available in new PHP versions
He does mention that UTF-8 is safe, though.
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
