Query:- There is a web application vulnerable to SQL Injection, but the web server has added protection like magic_quotes or the application calls the function add_slashes, which means i can't insert a single quote and thus cant exploit a SQL Injection. The injection point is in a string field. Does it means, its safe??????
Answer:- To the best of my knowledge, it is safe if your application supports utf-8 encoding(which is most common). However, if it supports utf-7 encoding, it becomes vulnerable. This is best described by Chris Shifflett:-
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
"In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0×27 ('), and 0xbf5c is 0xbf (¿) followed by 0×5c (\).
How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character, not two. Oops, there goes the backslash."
Well Done Chris..
7:07 am on April 10th, 2009
Well thank you for this post. Well can you write some code which we can be used to protect from any kind of sql injection attack. I am searching for a generalized code snippet which will protect the application from any kind of sql injection attack.
Thanks