Bug #60765 [Com]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd
Edit report at https://bugs.php.net/bug.php?id=60765&edit=1 ID: 60765 Comment by: xiaqii at gmail dot com Reported by:xiaqii at gmail dot com Summary:mysqli_real_escape_string not parse multibyte word safe while use mysqlnd Status: Not a bug Type: Bug Package:MySQLi related Operating System: ubuntu 10 PHP Version:5.3.9 Assigned To:uw Block user comment: N Private report: N New Comment: i do set charset with $dbcharset="GBK"; mysqli_query($this->linkID, "SET character_set_connection=$dbcharset, character_set_results=$dbcharset, character_set_client=binary") or $this->error("set names error"); and my mysqlserver's default charset in my.cnf is also "GBK" i'll retest it ASAP. Previous Comments: [2012-01-26 10:02:22] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You have to call mysqli_set_charset() to set the correct encoding so PHP and the MySQL server know hat data to expect and how to interpret it. -------------------- [2012-01-26 02:48:46] xiaqii at gmail dot com my site's charset is GBK -------------------- [2012-01-16 06:19:58] xiaqii at gmail dot com i recomplie my php with old style --with-mysqli=/usr/local/mysql/bin/mysql_config' the sql is safe and execute ok. so the bug is : mysqlnd not parse some multibyte word. this can be sql injection problem. i hope my english is enough to explain this bug clearly.. -_-! ---------------- [2012-01-16 05:50:24] xiaqii at gmail dot com Description: some Multibyte word contain \ ASCII code didn't been escaped. Test script: --- $link=mysqli_connect(); $var="æµ·è³"; $var=mysqli_real_escape_string($link,$var); mysqli_query($link,"INSERT INTO table SET manga_name='$var'"); /// Expected result: sql injection Actual result: -- it is dangerous. my reply table has been update to all one word because this.. -- Edit this bug report at https://bugs.php.net/bug.php?id=60765&edit=1
Bug #60765 [Com]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd
Edit report at https://bugs.php.net/bug.php?id=60765&edit=1 ID: 60765 Comment by: xiaqii at gmail dot com Reported by:xiaqii at gmail dot com Summary:mysqli_real_escape_string not parse multibyte word safe while use mysqlnd Status: Assigned Type: Bug Package:MySQLi related Operating System: ubuntu 10 PHP Version:5.3.9 Assigned To:uw Block user comment: N Private report: N New Comment: my site's charset is GBK Previous Comments: [2012-01-16 06:19:58] xiaqii at gmail dot com i recomplie my php with old style --with-mysqli=/usr/local/mysql/bin/mysql_config' the sql is safe and execute ok. so the bug is : mysqlnd not parse some multibyte word. this can be sql injection problem. i hope my english is enough to explain this bug clearly.. -_-! [2012-01-16 05:50:24] xiaqii at gmail dot com Description: some Multibyte word contain \ ASCII code didn't been escaped. Test script: --- $link=mysqli_connect(); $var="æµ·è³"; $var=mysqli_real_escape_string($link,$var); mysqli_query($link,"INSERT INTO table SET manga_name='$var'"); /// Expected result: sql injection Actual result: -- it is dangerous. my reply table has been update to all one word because this.. -- Edit this bug report at https://bugs.php.net/bug.php?id=60765&edit=1
Bug #60765 [Opn]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd
Edit report at https://bugs.php.net/bug.php?id=60765&edit=1 ID: 60765 User updated by:xiaqii at gmail dot com Reported by:xiaqii at gmail dot com -Summary:mysqli_real_escape_string not work while use mysqlnd +Summary:mysqli_real_escape_string not parse multibyte word safe while use mysqlnd Status: Open Type: Bug Package:MySQLi related Operating System: ubuntu 10 PHP Version:5.3.9 Block user comment: N Private report: N New Comment: i recomplie my php with old style --with-mysqli=/usr/local/mysql/bin/mysql_config' the sql is safe and execute ok. so the bug is : mysqlnd not parse some multibyte word. this can be sql injection problem. i hope my english is enough to explain this bug clearly.. -_-! Previous Comments: [2012-01-16 05:50:24] xiaqii at gmail dot com Description: some Multibyte word contain \ ASCII code didn't been escaped. Test script: --- $link=mysqli_connect(); $var="æµ·è³"; $var=mysqli_real_escape_string($link,$var); mysqli_query($link,"INSERT INTO table SET manga_name='$var'"); /// Expected result: sql injection Actual result: -- it is dangerous. my reply table has been update to all one word because this.. -- Edit this bug report at https://bugs.php.net/bug.php?id=60765&edit=1
[PHP-BUG] Bug #60765 [NEW]: mysqli_real_escape_string not work while use mysqlnd
From: Operating system: ubuntu 10 PHP version: 5.3.9 Package: MySQLi related Bug Type: Bug Bug description:mysqli_real_escape_string not work while use mysqlnd Description: some Multibyte word contain \ ASCII code didn't been escaped. Test script: --- $link=mysqli_connect(); $var="æµ·è³"; $var=mysqli_real_escape_string($link,$var); mysqli_query($link,"INSERT INTO table SET manga_name='$var'"); /// Expected result: sql injection Actual result: -- it is dangerous. my reply table has been update to all one word because this.. -- Edit bug report at https://bugs.php.net/bug.php?id=60765&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60765&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60765&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60765&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60765&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60765&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60765&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60765&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60765&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60765&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60765&r=support Expected behavior: https://bugs.php.net/fix.php?id=60765&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60765&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60765&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60765&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60765&r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=60765&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60765&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60765&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60765&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60765&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60765&r=mysqlcfg