Learn GBK coding
While it called for all programs unicode will be used, all of the sites use utf-8 encoding, to a unified international norms. But there are still many, including some domestic and foreign (particularly non-English-speaking countries) in cms, still using a coding their own country, such as our gbk, as their default encoding type. There are also some cms in order to consider the old users, and launched a utf-8 gbk two versions (for example: dedecms)
We have to gbk character encoding, for example, began. GBK name "Chinese Internal Code Specification", gbk is a multi-character code. He uses double-byte encoding scheme, because it is double-byte coding gbk character encoding, occupies 2 bytes. A utf-8 encoded characters, occupies 3 bytes. We can verify this statement by output.
For example: 0xD50 × 5C corresponding to the Chinese character "honesty", URL encoded characters represented by the hexadecimal coded characters plus the percent,% d5% 5c then decoded by the URL "honest."
Byte wide injection principle
SQL injection byte wide set by the programmer is mainly due to non-English database code encoded then it is possible to produce a wide byte injection
, for example, provided for encoding said MySql SET NAMES 'gbk' or SET character_set_client = gbk, this configuration will lead to transcoding resulting in the injection vulnerabilities.
PHP is Byte wide SQL injection using a transmission request statement SET NAMES 'gbk' or SET character_set_client = gbk to MySql when carried out a coding, but it is due to some inadvertent character set conversion results byte wide injection.
Such as: the 'Enter will become a' single quotation marks are escaped out
translated into url encoding% 5c% 27 The two become all
we want to bypass the backslash escapes allow single quotation mark
so we need to preceded by a coding% 5c% 5c and it combines a character consisting
, for example:% d5 '=% d5' =% d5% 5c% 27 = " honesty" + 27% = "honesty" + "= Cheng '