Suppose the web server uses the following PHP code to process login requests:
$username = $_POST[user]; $password = $_POST[pass]; $sql = "SELECT * FROM users WHERE name = '$username' AND password = '$password'"; if(mysql_num_rows($rs) > 0){ //do something }
- What is the meaning of a username that a successful login will always have?
I think that the value ' OR 1=1 will always lead to a successful login, because then the request will look like this:
"SELECT * FROM users WHERE name = '' OR 1=1 AND password = '$password'"
Is it correct?
- Suppose the data is configured to use the Chinese Unicode GBIC character set. In GBK, byte
0x5c encodes \ and 0x27 encodes ' . Bytes 0xbf27 represent two ΒΏ' characters, and bytes 0xbf5c represent one Chinese character. If the username and password fields add slashes to ' , " , \ and null , which username will always result in a successful login, assuming the database interprets this string as GBK, but adds slash processes how is ascii?
I'm not sure what the last part of the sentence means (interpreting as GBK, but processing as ASCII). Can someone shed some light on how to solve this problem?
sql php sql-injection
Jason
source share