On Wed, January 23, 2008 3:18 pm, Dotan Cohen wrote: > I think it was here on this list that we saw an example of SQL > injection despite the use of mysql_escape_string. Some funky Asian > charset was used, no? I don't know that I'd call it funky, but yes. Without the "real" MySQL does not know what charset you are using. Without the charset, MySQL does not know what character codes to escape. Without that, characters that it thinks are "fine" because it assumes Latin-1 (or whatever) are not, in fact, "fine" because they are NOT Latin-1. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php