Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?

by

The character that htmlspecialchars fails to encode the critical character \0 (NUL byte), \b (backspace), as well as the \ character.

In order to exploit this, you need a statement with multiple injection points. With this you can escape the closing delimiter of one string literal and thus expand it up to the next starting delimiter of the next string literal. Three string literals each with an injection point can then be transformed into two string literals.

For example:

SELECT * from user WHERE (name="$login" OR email="$login") AND password='$password'

Now with the following values:

login:    ) OR 1=1 /*\
password: */--

The resulting statement looks like this:

SELECT * from user WHERE (name=") OR 1=1 /*\" OR email=") OR 1=1 /*\") AND password='*/--'

Which is equivalent to:

SELECT * from user WHERE (name=") OR 1=1 /*\" OR email=") OR 1=1

More Related Contents:

  1. How can I prevent SQL injection in PHP?
  2. SQL injection that gets around mysql_real_escape_string()
  3. Examples of SQL Injections through addslashes()?
  4. How can I sanitize user input with PHP?
  5. Are PDO prepared statements sufficient to prevent SQL injection?
  6. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  7. Reference: What is a perfect code sample using the MySQL extension? [closed]
  8. The ultimate clean/secure function
  9. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  10. When should I use prepared statements?
  11. SQL injections in ADOdb and general website security
  12. Best way to defend against mysql injection and cross site scripting
  13. Why is using a mysql prepared statement more secure than using the common escape functions?
  14. how safe are PDO prepared statements
  15. What does mysql_real_escape_string() do that addslashes() doesn’t?
  16. Do I have to use mysql_real_escape_string if I bind parameters?
  17. Using PHP data in MySQL [closed]
  18. How can I store my users’ passwords safely?
  19. How to create a secure mysql prepared statement in php?
  20. Best way to get result count before LIMIT was applied
  21. Simplest two-way encryption using PHP
  22. Loading .sql files from within PHP
  23. How to fake $_SERVER[‘REMOTE_ADDR’] variable?
  24. Login without HTTPS, how to secure?
  25. PHP: multiple SQL queries in one mysql_query statement
  26. How to execute a stored procedure in php using sqlsrv and “?” style parameters
  27. MySql PHP select count of distinct values from comma separated data (tags)
  28. How can I determine a file’s true extension/type programmatically?
  29. Can I serve MP3 files with PHP?
  30. Aggregated query without GROUP BY

Leave a Comment