|
|
Posted by NoDude on 11/06/07 09:25
On Nov 6, 6:37 am, AnrDaemon <anrdae...@freemail.ru> wrote:
> Greetings, Rik Wasmus.
> In reply to Your message dated Monday, November 5, 2007, 11:42:54,
>
> > PHP doesn't know everything about the MySQL server, so escaping string can
> > be tricky business (especially with 'broken' Unicode, there's a very slim
> > possibility a quote will appear where there was none). Prepared statements
> > free you from that headache.
>
> Sorry, but... what mysql_real_escape_string function does then?
>
> --
> Sincerely Yours, AnrDaemon <anrdae...@freemail.ru>
the *_real_escape_string family get the encoding they're supposed to
escape from mysql while connecting, if you happen to set mysql to
another encoding (and in some edge cases just in php) you might not
get the string you expected in mysql. That's what Wasmus was talking
about, when he mentioned there's a chance of a quote appearing where
you didn't expect it.
A user might put a character that's supposed to be a in cp1251, but
is a ' in some Uganda encoding. You happen to be in uganda and you
happen to not use true UTF, so you do some encoding switching. Worst
case scenario - maybe a table will be dropped. Hackers on the other
hand try huge amounts of possible sql injections. If there's a weak
spot, they're bound to find it sooner or later.
If you're keen on using the mysql extension, make suer everything you
do is true unicode, but there's still the chance you happen to forget
to escape something, somewhere, somethime.
Navigation:
[Reply to this message]
|