Warren Vail wrote: > I would be interested to know what might get past the > addslashes function that the mysql_escape_string function > catches. I wrote an example to demonstrate this: http://shiflett.org/archive/184 The theory behind this type of problem is pretty easy to understand - if your escaping function interprets characters differently than the database, it's possible that it will fail to escape something that needs to be escaped, just because it misinterprets the character. The problem I demonstrate doesn't exist with UTF-8 or ISO-8859-1, but it does with any character encoding where there is a valid multi-byte character that ends in 0x5c. Regardless, it's best to use the right tool for the job, even if you think you won't be punished for using the wrong one. (You might be wrong.) The original question is related to XSS, not SQL injection, and character encoding consistency is even more important in that context: http://shiflett.org/archive/178 Hope that helps. Chris -- Chris Shiflett Principal, OmniTI http://omniti.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
