4.1.6. SQL Injection Tips

4.1.6.1. Wide Byte Injection

When developers use gbk coding for development, they will use set names 'gbk' to set, this sentence is equivalent to:

set
character_set_connection = 'gbk',
character_set_result = 'gbk',
character_set_client = 'gbk';

The reason for the vulnerability is that after set character_set_client = 'gbk';, mysql will think that the data sent by the client is encoded by gbk, so use gbk to decode, and mysql_real_escape is executed before decoding. But if you use set names 'gbk' directly , real_escape does not know the encoding of the set data, so %5c will be added . At this time, the server gets the data decoding and thinks that the submitted character +%5c is a character of gbk, which creates a loophole.

There are three solutions. The first is to set the client’s charset to binary, so that a decoding operation will not be performed. The second is use mysql_set_charset('gbk') ,the encoded information will be saved in the connection to the database, and this problem will not occur. The third is to use pdo.

There are some other coding techniques, such as latin will discard invalid unicode, then admin%32 is not equal to admin in the code, but will be equal to admin in the database.