Posted by Andrew Hutchings on 06/29/07 16:31

Jerry Stuckle wrote:
> Andrew Hutchings wrote:
>> shimmyshack wrote:
>>> On Jun 28, 10:28 pm, jb <jbri...@gmail.com> wrote:
>>>> does wrapping the string in double quotes somehow tell mysql to treat
>>>> the contents within as literal? Thus making it sql injection safe?
>>>
>>> just use myql_real_escape_string throughout.
>>
>> That won't cover things like unicode sql injection attacks for
>> starters. Prepared statements are much safer but you need mysqli on
>> your PHP installation (or a lot of voodoo with the standard mysql
>> library).
>>
>
> Actually, it will. mysql_real_escape_string is charset dependent. If
> you're using one of the unicode charsets in your table,
> mysql_real_escape_string will handle it. And if you're not using
> unicode, the injection won't work, anyway.
>

No, if your not using unicode a certain malformed unicode character can
cause an apostrophe which then can lead to injection (I forget what the
code is off the top of my head). Last time I checked
mysql_real_escape_string did not protect against this.

--
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue
Screen leads to downtime. Downtime leads to suffering...I sense much
Windows in you...

[Back to original message]