I'm writing some unit tests to ensure my code isn't vulnerable to SQL injection under various charsets.
According to this answer, you can create a vulnerability by injecting xbfx27
using one of the following charsets: big5
, cp932
, gb2312
, gbk
and sjis
This is because if your escaper is not configured correctly, it will see the 0x27
and try to escape it such that it becomes xbfx5cx27
. However, xbfx5c
is actually one character in these charsets, thus the quote (0x27
) is left unescaped.
As I've discovered through testing, however, this is not entirely true. It works for big5
, gb2312
and gbk
but neither 0xbf27
or 0xbf5c
are valid characters in sjis
and cp932
.
Both
mb_strpos("abcxbfx27def","'",0,'sjis')
and
mb_strpos("abcxbfx27def","'",0,'cp932')
Return 4
. i.e., PHP does not see xbfx27
as a single character. This returns false
for big5
, gb2312
and gbk
.
Also, this:
mb_strlen("xbfx5c",'sjis')
Returns 2
(it returns 1
for gbk
).
So, the question is: is there another character sequence that make sjis
and cp932
vulnerable to SQL injection, or are they actually not vulnerable at all? or is PHP lying, I'm completely mistaken, and MySQL will interpret this totally differently?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…