Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
SELECT * FROM users WHERE username = '¿\' OR username = username /*' AND password = 'guess'
i copied this sql command to run in phpmyadmin but it return result is 0 row, that is attacker cannot access my database
question is why did my database return result 0 row when i ran this code ? or can you describe this code
The injection works just fine. Addslashes() is not a multi-byte character safe function and has never been meant to be used to prevent SQL injections. I think any multi-byte character ending in 0x5c could be used to inject a single quote.
Maybe you do not have a users table with a column username or MySQL was running in ANSI mode where /* should be invalid I think.
The code you pasted previously has a question mark (0x3f) and an escape character (0x5c). This is will not bypass addslashes(). You need to use characters outside the ASCII range to achieve the results you want. In the first post you used 0xbf, which is not in the ASCII range and works well.