Posted by Jerry Stuckle on 06/30/07 01:48

Andrew Hutchings wrote:
> Jerry Stuckle wrote:
>> Andrew Hutchings wrote:
>>> shimmyshack wrote:
>>>> On Jun 28, 10:28 pm, jb <jbri...@gmail.com> wrote:
>>>>> does wrapping the string in double quotes somehow tell mysql to treat
>>>>> the contents within as literal? Thus making it sql injection safe?
>>>>
>>>> just use myql_real_escape_string throughout.
>>>
>>> That won't cover things like unicode sql injection attacks for
>>> starters. Prepared statements are much safer but you need mysqli on
>>> your PHP installation (or a lot of voodoo with the standard mysql
>>> library).
>>>
>>
>> Actually, it will. mysql_real_escape_string is charset dependent. If
>> you're using one of the unicode charsets in your table,
>> mysql_real_escape_string will handle it. And if you're not using
>> unicode, the injection won't work, anyway.
>>
>
> No, if your not using unicode a certain malformed unicode character can
> cause an apostrophe which then can lead to injection (I forget what the
> code is off the top of my head). Last time I checked
> mysql_real_escape_string did not protect against this.
>

If you're not using unicode, then mysql_real_escape_string won't decode
it as unicode. So no matter what it is, the "malformed unicode
character" can't cause a problem.

Now if you are using unicode, that might be a problem.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]