Home/ Questions/Q 720847
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T05:48:20+00:00

I have this function I’m using and I want to be sure that it

  • 0

I have this function I’m using and I want to be sure that it fully protects against SQL injection attacks:

function MakeSafeForQuery($string)
{
    // replace all of the quote
    // chars by their escape sequence

    $ret = str_replace("\\","\\\\",$string);
    $ret = str_replace("'","\\'",$ret);
    $ret = str_replace("\"","\\\"",$ret);

    return $ret;
}

Am I missing anything serious?

Edit: I’m using MySQL by the way.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf (¿) followed by 0x5c (\).

    How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you’re using addslashes(), however, I’m in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That’s because 0xbf5c is interpreted as a single character, not two. Oops, there goes the backslash.

    This type of attack is possible with any character encoding where there is a valid multi-byte character that ends in 0x5c, because addslashes() can be tricked into creating a valid multi-byte character instead of escaping the single quote that follows. UTF-8 does not fit this description.

    To avoid this type of vulnerability, use mysql_real_escape_string()

    http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

    • 0