grimaden — 2013-07-29T01:05:58-04:00 — #1
This is an example from a book I've read, but I don't understand how it works.
A web admin may attempt to block SQL injections by blocking input containing the apostrophe character.
However, an input containing double encoding may be able to defeat the filter.
eg : %2527
Why is this so ? The book stated that %2527 will become %27 after decoding it. What's the process behind it ?
If the filter blocks the apostrophe character, %2527 should become 27 ? As %25 represents an apostrophe.
Guidance is appreciated.
mittineague — 2013-07-29T01:48:23-04:00 — #2
Hi Grimaden, welcome to the forums
No, %25 represents %
%27 represnts '
wwb_99 — 2013-07-29T08:33:43-04:00 — #3
Don't rely upon character replacement for sql injection defenses. Parameterize your queries and if that isn't possible at least use the native escape functions.
grimaden — 2013-07-29T11:08:23-04:00 — #4
Oops my bad. In this case, since it blocks apostrophe ( %27) , it removes the '25' which is actually represents % (%25) instead to nullify the apostrophe which gives the result of %27 ?
@wwb_99 : Thanks for the advice.
dklynn — 2013-07-30T07:29:17-04:00 — #5
' is a good replacement for apostrophes but mysqli_real_escape_string will also "correct" other troublesome characters.