Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

11
  • I think "The Saving Grace" was this MySQL 5.0.22 fix: dev.mysql.com/doc/relnotes/mysql/5.0/en/news-5-0-22.html Commented Apr 17, 2013 at 12:23
  • 1
    @nicogawenda: that was a different bug. Prior to 5.0.22, mysql_real_escape_string wouldn't properly handle cases where the connection was properly set to BIG5/GBK. So actually even calling mysql_set_charset() on mysql < 5.0.22 would be vulnerable to this bug! So no, this post is still applicable to 5.0.22 (because mysql_real_escape_string is only charset away to calls from mysql_set_charset(), which is what this post is talking about bypassing)... Commented Apr 17, 2013 at 14:10
  • 5
    Please note that NO_BACKSLASH_ESCAPES can also introduce new vulnerabilities : stackoverflow.com/a/23277864/1014813 Commented Jan 3, 2016 at 17:22
  • 1
    @ircmaxell A little late to the party, but I am no expert, I am really trying to learn new stuff and I cannot get how and why SELECT * FROM test WHERE name = '縗' OR 1=1 /*' LIMIT 1 is a successful attack. To me it looks like that is searching for something that is not there. The comment is the attack? It leaves everyhting hanging? Maybe you could add a couple of lines explaining this part, for noobs like me. Thank you for the amazing answer. Commented Jan 24, 2018 at 21:59
  • 3
    @slevin the "OR 1=1" is a placeholder for whatever you want. Yes, it's searching for a value in name, but imagine the "OR 1=1" part was "UNION SELECT * FROM users". You now control the query, and as such can abuse it... Commented Jan 25, 2018 at 20:17