Despite its widespread use, mysql_real_escape_string() is not immune to SQL injection attacks.
Requirement: The database connection must use a vulnerable character set like big5, cp932, gb2312, gbk, or sjis.
Steps:
Result: Due to the client-server encoding mismatch, the query contains a unescaped single quote, resulting in a successful SQL injection.
Bug in mysql_real_escape_string(): In earlier MySQL versions, invalid multibyte characters were treated as single bytes for escaping purposes, even if the client was aware of the connection encoding.
PDO vulnerability: Emulated prepared statements in PDO are constructed using mysql_real_escape_string() and are therefore vulnerable to this attack.
Safe practices:
The above is the detailed content of Can SQL Injection Bypass `mysql_real_escape_string()` Using Character Set Manipulation?. For more information, please follow other related articles on the PHP Chinese website!