Hey, I'm currently using mysql_real_escape_string() to protect against SQL injection. Is there a way to exploit this? I have already tried \ to try to make the query \\', thus making it just a regular backslash. I have heard of the Big5 exploit, but I don't know how to use it / protect against it.

Thanks so much, Glut.

Member Avatar
diafol

I think the Big5 exploit is for db using charset Big5. So, if you're not using Big5, you probably won't need to worry about it.

The mysql_real_escape_string() should escape the backslash and escape the single quote again, so \' becomes \\\'. Can't see why this isn't working for you.

I think the Big5 exploit is for db using charset Big5. So, if you're not using Big5, you probably won't need to worry about it.

The mysql_real_escape_string() should escape the backslash and escape the single quote again, so \' becomes \\\'. Can't see why this isn't working for you.

Oh, that's why the Big5 exploit didn't work. So, if I'm not using Big5 character encoding, will the mysql_real_escape_string() still work against all SQL injection attacks for my website?

Member Avatar
diafol

Should do