Is mysql_real_escape_string() broken?

Some people believe that mysql_real_escape_string() has some flaws and cannot protect your query even when properly used.
Bringing some fossilized articles as a proof.

Così, the question is: is mysql[i]_real escape_string() totally unacceptable?
Or is it’s still possible to use this function to create your own kind of prepared statements?

With proofcode, please.

Questo articole è stato pubblicato in Uncategorized e contrassegnati , , , , . Bookmark della Permalink.

3 Responses to Is mysql_real_escape_string() broken?

  1. LHMathies dice:

    From the MySQL’s C API function mysql_real_escape_string description:

    If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.

    So don’t use SET NAMES/SET CHARACTER SET but PHP’s mysql_set_charset to change the encoding as that is the counterpart to MySQL’s mysql_set_character_set (see source code of /ext/mysql/php_mysql.c).

  2. ontrack dice:

    In the comments there is a link to a bugfix in mySQL 5.0.22 (24 Maggio 2006), where this has been addressed.

  3. Gumbo dice:

    From the MySQL’s C API function mysql_real_escape_string description:

    If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.

    So don’t use SET NAMES/SET CHARACTER SET but PHP’s mysql_set_charset to change the encoding as that is the counterpart to MySQL’s mysql_set_character_set (see source code of /ext/mysql/php_mysql.c).

Lascia un commento

Il tuo indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *

È possibile utilizzare questi HTML tag e attributi: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>