#1364: Prevent usage of SET NAMES for MySQL connections in AgaviMysqliDatabase
----------------------+-----------------------------------------------------
Reporter: david | Owner: david
Type: task | Status: new
Priority: normal | Milestone: 1.0.5
Component: database | Version: 1.0.4
Severity: normal | Keywords:
Has_patch: 0 |
----------------------+-----------------------------------------------------
The MySQL client library (both libmysql and mysqlnd) won't see the charset
change, which means injections are possible for certain exotic multi-byte
character sets like Big5 or GBK. http://bugs.php.net/47802 has more
details (describes PDO, but the issue is the same for ext/mysqli).
We should force the use of "charset" (that uses {{{mysqli_set_charset()}}}
over "SET NAMES".
--
Ticket URL: <http://trac.agavi.org/ticket/1364>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
