Can SQL Injection Still Occur Even with `mysql_real_escape_string()`?

Although it is generally believed that mysql_real_escape_string () can prevent SQL injection, in specific cases, SQL injection may still happen. The following explains how this attack happened:

character set selection:

1. Set the server character set to allow the ASCII back slope (0x5C) and the invalid multi -line character character set (for example, GBK). This can be implemented through the Set Names statement.

   Effective load Construction:

2. Create an effective load starting with 0xbf27. In the specified character set (for example, GBK), this means an invalid multi -line character that will be converted to 0x27 (skimp) in Latin1.

   mysql_real_escape_string () Operation:

3. mysql_real_escape_string () based on connected character sets (GBK) operations, rather than the client faked character set (Latin1). It will be effective to be valid to 0x5c27. However, because the client still believes that it uses Latin1, the backslash (0x5C) is still unprofitable.

   • Query execution:
4. The rendering query contains an unprepared skimmer in the content of the righteousness, which leads to a successful injection attack.
   PDO and MySQLI vulnerabilities:
PDO's default use of analog pre -processing statements, which is easily attacked.

MySQLI is not affected because it uses a real pre -processing statement.

• Use non -attacking character sets to connect coding (for example, UTF8).

Disable simulation pre -processing statements in PDO.

The following conditions are verified:
• Modern mysql version with the correct character set management
• or use non -vulnerable character sets

You can reduce this potential loophole.

The above is the detailed content of Can SQL Injection Still Occur Even with `mysql_real_escape_string()`?. For more information, please follow other related articles on the PHP Chinese website!