Dotan Cohen wrote:
So far as I understand mysql_real_escape_string() was invented because
addslashes() is not adequate.
Correct, addslashes() works fine for latin1 (single byte encoding) but
does not work properly when used with a multibyte encoded string.
That is most likely the reason why mysql_real_escape_string() checks the
encoding before escaping so it can do the right thing for the used encoding.
Here is a quote from the description of a forum SQL injection exploit:
"Addslashes simply adds a backslash (0x5c) before single quote ('),
double quote ("), backslash (\) and NUL (the NULL byte), without
checking if the added blackslash creates another char.
Bytes in Input 0xa327
Addslashes(Bytes in Input) 0xa35c27
In big5, but also in other multibyte charsets, 0xa35c is a valid char:
0x27 (') is left alone."
No Victim, No Crime
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php