mysql_real_escape_string还不够好？

So using %27 you can just SQL inject even though data is sanitized with mysql_real_escape_string

%27) SQL INJECTION HERE %2F*

What to do?

Edit with example:

$sql = sprintf("SELECT *, MATCH(post) AGAINST ('%s*' IN BOOLEAN MODE) AS score FROM Posts WHERE MATCH(post) AGAINST('%s*' IN BOOLEAN MODE)",
                mysql_real_escape_string($_GET['searchterm']),
                mysql_real_escape_string($_GET['searchterm']));

$results = $db->queryAsArray($sql);

If you pass in %27) SQL INJECTION HERE %2F* to the searchterm querystring, I get outputted on the page:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'BOOLEAN MODE)' at line 1

Thanks everyone for finding the problem in the db class..

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

4条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongtang4019 2011-03-14 21:29
关注
Reasoning from the method name queryAsArray, it seems that you’re using this DbBase class from the comments of the MySQL functions manual page. If so, it’s the query method that removes the escape character from the escaped quotation marks:

function query($sql, &$records = null){ $sql = str_replace(array('\\"', "\\'"), array('"', "'"), $sql); // … }

Then it’s not a miracle that your example works (I simplified it):

$input = "', BAD SQL INJECTION --"; $sql = "SELECT '".mysql_real_escape_string($input)."'"; var_dump($sql); // string(33) "SELECT '\', BAD SQL INJECTION --'" // everything’s OK ↑ $sql = str_replace(array('\\"', "\\'"), array('"', "'"), $sql); var_dump($sql); // string(32) "SELECT '', BAD SQL INJECTION --'" // Oops! ↑
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(3条)

报告相同问题？

关注问题

php mysql_real_escape_string转换为mysqli [复制] html mysql php
2016-08-30 17:57

回答 3 已采纳 I think you want this <?php $con=mysqli_connect("localhost","my_user","my_password","my_db");
mysql_real_escape_string还不够好？ mysql php
2011-03-14 20:56

回答 4 已采纳 Reasoning from the method name queryAsArray, it seems that you’re using this DbBase class from the
使用mysql_real_escape_string后，在textarea中显示多行 html mysql php
2012-11-30 13:00

回答 3 已采纳 you probably have magic_quotes turned on, check it with echo get_magic_quotes_gpc() or else you w
PHP函数addslashes和mysql_real_escape_string的区别
2020-10-26 00:46

主要介绍了PHP函数addslashes和mysql_real_escape_string的区别,以及一个SQL注入漏洞介绍,需要的朋友可以参考下
mysql_real_escape_string（）出错 php
2013-08-02 12:59

回答 1 已采纳 According to the documentation: If the link identifier is not specified, the last link opened
使用mysql_real_escape_string编码错误，返回空字符串 mysql php
2013-06-13 12:28

回答 1 已采纳 mysql_real_escape_string considers the current connection character set. Your ISO-8859-1 scripts s
mysql_real_escape_string和json json mysql php
2012-07-30 12:11

回答 3 已采纳 You shouldn't use already prepared JSON string. You should use json_encode(); function to create
mysql_real_escape_string c api_mysql_real_escape_string
2021-03-03 23:48

高三垃圾的博客 } if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id)) { $str = mysql_real_escape_string($str, $this->conn_id); } elseif (function_exists('mysql_escape_string')) { $str = ...
mysql_real_escape_string和array_map返回空字符串？ mysql php
2013-09-05 00:05

回答 3 已采纳 array_map returns new array, if you're overwriting $_POST, better solution would be to use array_w
使用mysql_real_escape_string的速度 mysql php
2014-04-03 21:28

回答 2 已采纳 The mysql_real_escape_string() already searches the string for apostrophes and other characters, a
警告：mysql_real_escape_string（），是什么意思？ [关闭] database html mysql php
2014-09-03 16:28

回答 1 已采纳 Need to connect before real_escape. I suggest you to use mysqli. You can try this. $connect = mys
mysql_real_escape_string()_mysql_real_escape_string() | 学步园
2021-03-15 11:56

林桂鑫的博客 19.7.3.53.mysql_real_escape_string()unsigned long mysql_real_escape_string(MYSQL *mysql, char *to, const char *from, unsigned long length)Note that mysql must be a valid, open connection. This is nee....
mysql_real_escape_string导致网站连接错误 mysql php
2013-02-08 08:58

回答 4 已采纳 For mysql_real_escape_string to work, you first have to connect to MySQL via mysql_connect
mysql_real_escape_string 不支持_mysql_real_escape_string总是返回false
2021-01-21 13:23

13338383381的博客总所周知，mysql_real_escape_string函数的作用是：转义SQL语句中使用的字符串中的特殊字符，并考虑到连接的当前字符集。并且mysql_real_escape_string()并不转义%和_。但是，如果按照手册的例子来写代码，总是返回...
php mysql_real_escape_string函数用法与实例教程
2021-01-20 00:35

语法mysql_real_escape_string(string,connection) 参数描述 string 必需。规定要转义的字符串。 connection 可选。规定 MySQL 连接。如果未规定，则使用上一个连接。说明本函数将 string 中的特殊字符转义...
没有解决我的问题, 去提问

悬赏问题

¥50 导入文件到网吧的电脑并且在重启之后不会被恢复
¥15 （希望可以解决问题）ma和mb文件无法正常打开，打开后是空白，但是有正常内存占用，但可以在打开Maya应用程序后打开场景ma和mb格式。
¥20 ML307A在使用AT命令连接EMQX平台的MQTT时被拒绝
¥20 腾讯企业邮箱邮件可以恢复么
¥15 有人知道怎么将自己的迁移策略布到edgecloudsim上使用吗？
¥15 错误 LNK2001 无法解析的外部符号
¥50 安装pyaudiokits失败
¥15 计组这些题应该咋做呀
¥60 更换迈创SOL6M4AE卡的时候，驱动要重新装才能使用，怎么解决？
¥15 让node服务器有自动加载文件的功能

mysql_real_escape_string还不够好？

4条回答 默认 最新

悬赏问题

4条回答默认最新