Is mysql_real_escape_string() Vulnerable to SQL Injection with Asian Encodings?

Assessing the Security of mysql_real_escape_string() against SQL Injection with Asian Encodings

Question:

A security vulnerability has been reported claiming that mysql_real_escape_string() can be bypassed using specific Asian character encodings, such as BIG5 or GBK. Is this vulnerability valid, and if so, how can we mitigate it without using prepared statements?

Answer:

According to Stefan Esser, a PHP developer, mysql_real_escape_string() is not fully safe against SQL injection when certain encoding settings are used.

Explanation:

The issue arises when the SET NAMES command is employed to alter the database character encoding. This change in encoding affects how special characters, such as backslashes (), are escaped. Mysql_real_escape_string() assumes a default encoding and does not adjust its escaping logic accordingly.

Therefore, if an attacker uses an encoding that permits backslashes as subsequent bytes, mysql_real_escape_string() may not properly escape these characters. This could lead to a successful SQL injection attack.

Mitigation:

To resolve this vulnerability when prepared statements are unavailable:

1. Use the mysql_set_charset() function to explicitly set the database character encoding instead of relying on SET NAMES. This ensures that mysql_real_escape_string() operates with the correct encoding information.
2. Switch to a safe encoding, such as UTF-8, which handles backslashes in a way that prevents their misuse in SQL injections.

The above is the detailed content of Is mysql_real_escape_string() Vulnerable to SQL Injection with Asian Encodings?. For more information, please follow other related articles on the PHP Chinese website!