Re: Should I use mysql, mysqli or PDO?

On Nov 6, 6:37 am, AnrDaemon <anrdae...@xxxxxxxxxxx> wrote:
Greetings, Rik Wasmus.
In reply to Your message dated Monday, November 5, 2007, 11:42:54,

PHP doesn't know everything about the MySQL server, so escaping string can
be tricky business (especially with 'broken' Unicode, there's a very slim
possibility a quote will appear where there was none). Prepared statements
free you from that headache.

Sorry, but... what mysql_real_escape_string function does then?

--
Sincerely Yours, AnrDaemon <anrdae...@xxxxxxxxxxx>

the *_real_escape_string family get the encoding they're supposed to
escape from mysql while connecting, if you happen to set mysql to
another encoding (and in some edge cases just in php) you might not
get the string you expected in mysql. That's what Wasmus was talking
about, when he mentioned there's a chance of a quote appearing where
you didn't expect it.

A user might put a character that's supposed to be a in cp1251, but
is a ' in some Uganda encoding. You happen to be in uganda and you
happen to not use true UTF, so you do some encoding switching. Worst
case scenario - maybe a table will be dropped. Hackers on the other
hand try huge amounts of possible sql injections. If there's a weak
spot, they're bound to find it sooner or later.

If you're keen on using the mysql extension, make suer everything you
do is true unicode, but there's still the chance you happen to forget
to escape something, somewhere, somethime.

.

Relevant Pages

  • Re: Unicode/UTF-8 decoding
    ... I am using SQLyog to access mySQL remotely. ... This text looks as it has been decoded with a different encoding than ... If you want to store unicode strings in the MySQL database, ... While this gives the correct result for some strings, ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Should I use mysql, mysqli or PDO?
    ... be tricky business (especially with 'broken' Unicode, ... possibility a quote will appear where there was none). ... is a ' in some Uganda encoding. ... which would cause damage to SQL statement in current SQL encoding. ...
    (comp.lang.php)
  • Re: Should I use mysql, mysqli or PDO?
    ... be tricky business (especially with 'broken' Unicode, ... possibility a quote will appear where there was none). ... is a ' in some Uganda encoding. ... which would cause damage to SQL statement in current SQL encoding. ...
    (comp.lang.php)
  • MySQL 5.0, FULL-TEXT Indexing and Search Arabic Data, Unicode
    ... MySQL 4.0, FULL-TEXT Indexing and Search Arabic Data, Unicode ... that it is Unicode utf8 data because MySQL tells me it ... same successful result as if it was an English string. ...
    (comp.lang.php)
  • MySQL 5.0, FULL-TEXT Indexing and Search Arabic Data, Unicode
    ... MySQL 4.0, FULL-TEXT Indexing and Search Arabic Data, Unicode ... that it is Unicode utf8 data because MySQL tells me it ... same successful result as if it was an English string. ...
    (sci.lang.translation)