i SQL injection bypass PHP addslashs function – All things in moderation

SQL injection bypass PHP addslashs function


The addslashes(string) function returns a string with backslashes in front of predefined characters:

  • single quote (‘)
  • double quote (“)
  • backslash (\)
  • NULL

This function can be used to prepare a string for storage in a database and database queries, prevent SQL injection attack. However, this is easily bypassed using an invalid multi-byte character. This article consider about that bypass technique.

Example we consider url:


Suppose PHP code using by server following:

include("sql-connect.php"); // connect mysql
    $id=addslashes($_GET['id']); //prepare a string using addslashs function
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $row = mysql_fetch_array($result);


1. Check addslash() function used by server code.

Now let try testing sql injection vulnerability using single quote (‘), double quote (“)



No error occurred. Because It was escaped by addslashs() function:

single quote escaped as: \’

double quote escaped as: \”


2. Bypass addslashs() using multi-byte.

The value 0xbf5c and 0xaf5c is a valid multibyte character in GBK(Chinese language) and as well as addslashes does not check the MySQL character set.

addslash() function add a slash(%5c) before our quote character. Example use single quote(%27) it becomes %5c%27 (/’)

We could try bypass with %bf or %af. So when we use %bf%27 as our input, it become %bf%5c%27 and %bf%5c  is a valid Chinese Multi-byte character (?) and %bf%5c%27 equal ?’, then server executed our single quote.

Now lets try test inject  %bf%27 or %af%27, it’s will get some error from server.

Then we can exploit SQL injection!




  1. Kristen91 November 3, 2016
    • Stephen Stinson November 25, 2016
  2. r4hu1 May 5, 2020

Leave a Reply