0

I have this .php script to receive username and password from another page:

$req2 = $bdd->prepare('SELECT * FROM users WHERE login="'.$_POST['val1'].'"and password="'.$_POST['val2'].'"');

$req2 -> execute();

My database accepts GBK language, but when i enter a valid GBK symbol in hexadecimal(0xbf5c which a chinese symbol) the query does not work (but it works with the chinese symbol directly).

So, is there a function in sql to transform hexadecimals in GBK symbol ?

Thanks

mric750
  • 183
  • 8
  • 1
    Is this PDo you are using? If so your are doing it wrong, you should use placeholders and then execute( array($var1,$var2, ..)) your prepared statement. Maybe its the gbk escaping issue you are having. – Muhammed Mar 01 '16 at 14:06
  • yes pdo, no just consider to be on the "user" side. – mric750 Mar 01 '16 at 14:16
  • Did u try doing what i suggested? – Muhammed Mar 01 '16 at 14:17
  • Thank you for your answer but actually i don't understand it. What is the use of placeholders in this case ? – mric750 Mar 01 '16 at 14:38
  • Its to escape values, and avoid sql injections, i am thinking maybe your gbk characters are conflicting with the query somehow. – Muhammed Mar 01 '16 at 14:40
  • I hope you're not using this in production. If someone `POST`s `val1='; DROP TABLE users; --`, your DB is gone. Alternatively, whatever action is executed, would be applied to **all** the users in the DB if someone `POST`ed `val1=1=1'; --` – vzwick Mar 01 '16 at 14:52

0 Answers0