Edit report at https://bugs.php.net/bug.php?id=60765&edit=1
ID: 60765
Updated by: ras...@php.net
Reported by: xiaqii at gmail dot com
Summary: mysqli_real_escape_string not parse multibyte word
safe while use mysqlnd
-Status: Open
+Status: Assigned
Type: Bug
Package: MySQLi related
Operating System: ubuntu 10
PHP Version: 5.3.9
-Assigned To:
+Assigned To: uw
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2012-01-16 06:19:58] xiaqii at gmail dot com
i recomplie my php with old style
--with-mysqli=/usr/local/mysql/bin/mysql_config'
the sql is safe and execute ok.
so the bug is : mysqlnd not parse some multibyte word.
this can be sql injection problem.
i hope my english is enough to explain this bug clearly.. -_-!
------------------------------------------------------------------------
[2012-01-16 05:50:24] xiaqii at gmail dot com
Description:
------------
some Multibyte word contain \ ASCII code didn't been escaped.
Test script:
---------------
$link=mysqli_connect(............);
$var="æµ·è³";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///////////////////////////////////////////////////
Expected result:
----------------
sql injection
Actual result:
--------------
it is dangerous.
my reply table has been update to all one word because this..
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=60765&edit=1
