SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Jul 2013
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    URL encoding and decoding question.

    This is an example from a book I've read, but I don't understand how it works.

    A web admin may attempt to block SQL injections by blocking input containing the apostrophe character.

    However, an input containing double encoding may be able to defeat the filter.

    eg : %2527

    Why is this so ? The book stated that %2527 will become %27 after decoding it. What's the process behind it ?

    If the filter blocks the apostrophe character, %2527 should become 27 ? As %25 represents an apostrophe.

    Guidance is appreciated.

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,183
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    Hi Grimaden, welcome to the forums

    No, %25 represents %
    %27 represnts '

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,633
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Don't rely upon character replacement for sql injection defenses. Parameterize your queries and if that isn't possible at least use the native escape functions.

  4. #4
    SitePoint Member
    Join Date
    Jul 2013
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    Hi Grimaden, welcome to the forums

    No, %25 represents %
    %27 represnts '
    Oops my bad. In this case, since it blocks apostrophe ( %27) , it removes the '25' which is actually represents % (%25) instead to nullify the apostrophe which gives the result of %27 ?

    @wwb_99 : Thanks for the advice.

  5. #5
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Grim,

    ' is a good replacement for apostrophes but mysqli_real_escape_string will also "correct" other troublesome characters.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •