Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, January 23, 2008 3:18 pm, Dotan Cohen wrote:
> I think it was here on this list that we saw an example of SQL
> injection despite the use of mysql_escape_string. Some funky Asian
> charset was used, no?

I don't know that I'd call it funky, but yes.

Without the "real" MySQL does not know what charset you are using.

Without the charset, MySQL does not know what character codes to escape.

Without that, characters that it thinks are "fine" because it assumes
Latin-1 (or whatever) are not, in fact, "fine" because they are NOT
Latin-1.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux