Bug #60765 [Com]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

Sun, 29 Jan 2012 00:31:41 -0800 

Edit report at https://bugs.php.net/bug.php?id=60765&edit=1

 ID:                 60765
 Comment by:         xiaqii at gmail dot com
 Reported by:        xiaqii at gmail dot com
 Summary:            mysqli_real_escape_string not parse multibyte word
                     safe while use mysqlnd
 Status:             Not a bug
 Type:               Bug
 Package:            MySQLi related
 Operating System:   ubuntu 10
 PHP Version:        5.3.9
 Assigned To:        uw
 Block user comment: N
 Private report:     N

 New Comment:

i do set charset with
$dbcharset="GBK";
mysqli_query($this->linkID, "SET character_set_connection=$dbcharset, 
character_set_results=$dbcharset, character_set_client=binary") or 
$this->error("set names error");


and my mysqlserver's default charset in my.cnf is also "GBK"
i'll retest it ASAP.


Previous Comments:
------------------------------------------------------------------------
[2012-01-26 10:02:22] [email protected]

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You have to call mysqli_set_charset() to set the correct encoding so PHP and 
the MySQL server know hat data to expect and how to interpret it.

------------------------------------------------------------------------
[2012-01-26 02:48:46] xiaqii at gmail dot com

my site's charset is GBK

------------------------------------------------------------------------
[2012-01-16 06:19:58] xiaqii at gmail dot com

i recomplie my php with old style 
--with-mysqli=/usr/local/mysql/bin/mysql_config' 

the sql is safe and execute ok.

so the bug is : mysqlnd not parse some multibyte word.
this can be sql injection problem.

i hope my english is enough to explain this bug clearly..  -_-!

------------------------------------------------------------------------
[2012-01-16 05:50:24] xiaqii at gmail dot com

Description:
------------
some Multibyte word contain \ ASCII code didn't been escaped.

Test script:
---------------
$link=mysqli_connect(............);
$var="海賊";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///////////////////////////////////////////////////


Expected result:
----------------
sql injection

Actual result:
--------------
it is dangerous.
my reply table has been update to all one word because this..


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60765&edit=1

Reply via email to