There are chances to leave the system vulnerable.
That one article, addslashes() Versus mysql_real_escape_string() cites a good reason for this.
In free translation:
If I want to attempt an SQL injection attack against a database
Mysql, having escaped simple quotes with a backslash is a
nuisance.
If you are using addslashes(), however, I am in luck.
All I need to do is inject something like 0xbf27
and addslashes()
will return 0xbf5c27
, a valid multi-byte character followed by an apostrophe.
In other words, I can successfully inject an apostrophe,
though escaped. That’s because 0xbf5c
is interpreted as a
single character, not two. Oops, there goes the backslash.
Related: How to prevent SQL code injection into my PHP code
As mentioned in the question above, prefer to use PDO
or functions mysqli
.
That one other article explains how to inject an SQL code when using the function addslashes
.
The function addslashes
is widely used to return a string with backslashes before characters that need to be cited in the database. These characters are simple quotes '
, double quotes "
, backslash \
and Null (the Null character).
- The apostrophe
'
returns \'
.
' OR '1' = '1
will return \' OR \'1\' = \'1
.
In a single byte character set, the sequence \'
is seen by Mysql as 0x5c
and 0x27
. That is to say \
0 1 0 1 1 0 0 and '
0 0 1 0 1 1 1.
In a set of multi-byte characters as Big5 one byte is used to ascii and two bytes are used for characters Big5. Sometimes there is a twist when a Mysql database, table or column uses a multi-byte character set. If a character Big5 has as last byte the 0x5c
(value for backslash), we can fool the function addslashes
to form the character of two bytes Big5 when the backslash is inserted.
¿
1 0 1 1 1 1 1
'
0 0 1 0 1 1 1
When this sequence is passed through the function addslashes
, an inverted bar is inserted: 0xBF → ¿
0x5c → \
0x27 → '
.
¿
1 0 1 1 1 1 1
\
→ 0 1 0 1 1 0 0
'
0 0 1 0 1 1 1
Mysql with the character set Big5 interpret this string as being 0xbf5c
(0xBF
followed by 0x5c
) and 0x27
( '
).
縗
→ 1 0 1 1 1 1 1 1 0 1 0 1 1 1 0 0
'
0 0 1 0 1 1 1
Note that the quote was not escaped when processed by Mysql, and will now act as a delimiter that will allow you to inject an SQL code.
This works for two reasons:
- The value
0xbf5c
is a two byte character valid in Big5.
- The function
addslashes
does not check the character set in Mysql.
So some multi-byte character sets allows a targeted attack on addslashes
which results in successful SQL injection.
Any multi-byte character defined with a value of 0x5c
at last byte of a valid character was vulnerable. Vulnerable sets included Big5, GBK, and SJIS among others. This problem has been fixed in Mysql in 2006. But malicious people can explore ways to attack using these character sets.
Thank you very much!
– Lucas C.S
Can I use this method then? $task = mysql_real_escape_string ( $_GET [ "task" ] ) ;
– Lucas C.S
@Lucasc. S No problem, but use
mysqli_real_escape_string
just in case.– stderr
Thank you very much!
– Lucas C.S
I’ll start using PDO, but I don’t want to leave the old mysql
– Lucas C.S
it is interesting to use var_dump($task); to see the function
– Lucas C.S