URL encoding and decoding question

Grimaden · July 29, 2013, 5:05am

This is an example from a book I’ve read, but I don’t understand how it works.

A web admin may attempt to block SQL injections by blocking input containing the apostrophe character.

However, an input containing double encoding may be able to defeat the filter.

eg : %2527

Why is this so ? The book stated that %2527 will become %27 after decoding it. What’s the process behind it ?

If the filter blocks the apostrophe character, %2527 should become 27 ? As %25 represents an apostrophe.

Guidance is appreciated.

Mittineague · July 29, 2013, 5:48am

Hi Grimaden, welcome to the forums

No, %25 represents %
%27 represnts ’

wwb_99 · July 29, 2013, 12:33pm

Don’t rely upon character replacement for sql injection defenses. Parameterize your queries and if that isn’t possible at least use the native escape functions.

Grimaden · July 29, 2013, 3:08pm

Oops my bad. In this case, since it blocks apostrophe ( %27) , it removes the ‘25’ which is actually represents % (%25) instead to nullify the apostrophe which gives the result of %27 ?

@wwb_99 : Thanks for the advice.

dklynn · July 30, 2013, 11:29am

Grim,

' is a good replacement for apostrophes but mysqli_real_escape_string will also “correct” other troublesome characters.

Regards,

DK