It's similar to SET NAMES but isn't identical, the SQL statement can't update the internal character encoding on the client. This causes mysql_real_escape_string to perform incorrectly and can lead to data being incorrectly escaped.
This in turn can lead to SQL Injections when you change from a single byte character set (latin1) which is the default to a multibyte character set. In regards to ext/mysql and ext/mysqli, most hosts don't know the difference and only enable ext/mysql, instead allow users to protect themselves or deprecate ext/mysql. Scott Antony Dovgal wrote: > I believe this should be reverted. > > Adding new functions to ext/mysqli is _completely_ pointless, especially > taking into account that this function is just an alias for "SET NAMES > xx" and already implemented int MySQLi. > > ext/mysql and ext/mysqli is like PHP4 and PHP5 - we can't keep adding > new functions to ext/mysql, cause eventually it'll become ext/mysqli. > > On 05/14/2007 09:30 PM, Scott MacVicar wrote: >> Was discussed last summer and again in January this year, I forgot about >> it for 5.2.2 until recently. >> >> http://news.php.net/php.internals/27634 >> >> http://news.php.net/php.internals/27638 >> >> Spoke to ilia on IRC on Friday and his only comment was to use the new >> param parsing API. >> >> Scott >> >> Antony Dovgal wrote: >>> On 05/14/2007 09:10 PM, Scott MacVicar wrote: >>>> scottmac Mon May 14 17:10:47 2007 UTC >>>> >>>> Modified files: (Branch: PHP_5_2) >>>> /php-src NEWS /php-src/ext/mysql php_mysql.c php_mysql.h >>>> Log: >>>> Add mysql_set_charset() so that the connection encoding can be >>>> changed. This is similar to the SET NAMES statement but allows the >>>> mysql_real_escape_string to use the correct character set. >>> >>> When and where was this discussed? >>> >> >> > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
