ID: 37867 User updated by: yu at nic dot fujitsu dot com Reported By: yu at nic dot fujitsu dot com Status: Wont fix Bug Type: MySQL related Operating System: NetBSD 3.0 PHP Version: 4.4.2 New Comment:
PHP 4.4.2 has no mysqli extension, so I cannot use it... Are there any plan to backport it from PHP5? Without this charset interface, client-side charset is always set to latin1, and mysql_real_escape_string() cannot handle multibyte strings well. For example, 1. Client-side: sjis(Japanese Shift-JIS) string "0x95 0x27" is escaped to "0x95 0x27 0x27" by mysql_real_escape_string() call. 2. Server-side: "0x95 0x27" part is recognized as valid sjis multibyte character, and following "0x27" is recognized as single quote... easily SQL injected. As a result, almost all PHP4 programs using multibyte charset in MySQL extension would be affected by this SQL injection bug. Previous Comments: ------------------------------------------------------------------------ [2006-06-21 06:54:27] [EMAIL PROTECTED] To use the features of MySQL 4.1 and above you should use the mysqli extension, which has mysqli_set_charset function. ------------------------------------------------------------------------ [2006-06-21 04:14:20] yu at nic dot fujitsu dot com Description: ------------ MySQL4.1 and MySQL5 have a function, mysql_set_character_set(), which sets up MySQL internal character set. To set MySQL character set correctly both in client-side and in server-side, calling this function is the only right way after the connection is created (by mysql_real_connect()). It is not right to call "set names" SQL statement by mysql_query, because this call sets only in server-side charset. To set up client-side charset, mysql_set_character_set() is needed. But PHP4.4.2 and 5.1.4 have no interface to call this function. (There is another way to set charset correctly. Calling mysql_options() with MYSQL_SET_CHARSET_NAME before mysql_real_connect() do the same thing internally. But PHP4.4.2 and 5.1.4 don't have this interface.) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=37867&edit=1
