WebApp Sec mailing list archives
UTF-8 encoding
From: <biftarin () hotmail com>
Date: 21 Jul 2004 20:07:09 -0000
Hi, I'm currently auditing a web application running on Apache 1.3.27, PHP 4.3.7 and mySQL 3.23.58 I've found a parameter that's vulnerable to SQL injection but I have encountered a problem preventing me from exploiting the vulnerability. The application filters out apostrophes and the URL encoding of them. So I tried using UTF-8 encoding and found that this was not filtered out. Yet the query doesn't return a row as expected. To ensure the query was correct I removed the code that filters out apostrophes and tried the query using 'normal' apostrophes and it returned a row. So my question is... if I use normal apostrophes and this query (as seen in the SQL log) returns a row.. SELECT * FROM users WHERE password = 'correct' OR user='exists' how come the same query doesnt work with the UTF-8 encoding of apostrophes? I've checked the SQL log and both queries are exactly the same (as shown above) regardless of which way the apostrophes are inputted. If anyone could shed some light on this issue I'd be very grateful :)
Current thread:
- UTF-8 encoding biftarin (Jul 21)