from:"xiaqii at gmail dot com"

Bug #60765 [Com]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

2012-01-29 Thread xiaqii at gmail dot com

Edit report at https://bugs.php.net/bug.php?id=60765&edit=1

 ID: 60765
 Comment by: xiaqii at gmail dot com
 Reported by:xiaqii at gmail dot com
 Summary:mysqli_real_escape_string not parse multibyte word
 safe while use mysqlnd
 Status: Not a bug
 Type:   Bug
 Package:MySQLi related
 Operating System:   ubuntu 10
 PHP Version:5.3.9
 Assigned To:uw
 Block user comment: N
 Private report: N

 New Comment:

i do set charset with
$dbcharset="GBK";
mysqli_query($this->linkID, "SET character_set_connection=$dbcharset, 
character_set_results=$dbcharset, character_set_client=binary") or 
$this->error("set names error");


and my mysqlserver's default charset in my.cnf is also "GBK"
i'll retest it ASAP.


Previous Comments:

[2012-01-26 10:02:22] johan...@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You have to call mysqli_set_charset() to set the correct encoding so PHP and 
the MySQL server know hat data to expect and how to interpret it.

--------------------
[2012-01-26 02:48:46] xiaqii at gmail dot com

my site's charset is GBK

--------------------
[2012-01-16 06:19:58] xiaqii at gmail dot com

i recomplie my php with old style 
--with-mysqli=/usr/local/mysql/bin/mysql_config' 

the sql is safe and execute ok.

so the bug is : mysqlnd not parse some multibyte word.
this can be sql injection problem.

i hope my english is enough to explain this bug clearly..  -_-!

----------------
[2012-01-16 05:50:24] xiaqii at gmail dot com

Description:

some Multibyte word contain \ ASCII code didn't been escaped.

Test script:
---
$link=mysqli_connect();
$var="æµ·è³";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///


Expected result:

sql injection

Actual result:
--
it is dangerous.
my reply table has been update to all one word because this..






-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60765&edit=1

Bug #60765 [Com]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

2012-01-25 Thread xiaqii at gmail dot com

Edit report at https://bugs.php.net/bug.php?id=60765&edit=1

 ID: 60765
 Comment by: xiaqii at gmail dot com
 Reported by:xiaqii at gmail dot com
 Summary:mysqli_real_escape_string not parse multibyte word
 safe while use mysqlnd
 Status: Assigned
 Type:   Bug
 Package:MySQLi related
 Operating System:   ubuntu 10
 PHP Version:5.3.9
 Assigned To:uw
 Block user comment: N
 Private report: N

 New Comment:

my site's charset is GBK


Previous Comments:

[2012-01-16 06:19:58] xiaqii at gmail dot com

i recomplie my php with old style 
--with-mysqli=/usr/local/mysql/bin/mysql_config' 

the sql is safe and execute ok.

so the bug is : mysqlnd not parse some multibyte word.
this can be sql injection problem.

i hope my english is enough to explain this bug clearly..  -_-!


[2012-01-16 05:50:24] xiaqii at gmail dot com

Description:

some Multibyte word contain \ ASCII code didn't been escaped.

Test script:
---
$link=mysqli_connect();
$var="æµ·è³";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///


Expected result:

sql injection

Actual result:
--
it is dangerous.
my reply table has been update to all one word because this..






-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60765&edit=1

Bug #60765 [Opn]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

2012-01-15 Thread xiaqii at gmail dot com

Edit report at https://bugs.php.net/bug.php?id=60765&edit=1

 ID: 60765
 User updated by:xiaqii at gmail dot com
 Reported by:xiaqii at gmail dot com
-Summary:mysqli_real_escape_string not work while use mysqlnd
+Summary:mysqli_real_escape_string not parse multibyte word
 safe while use mysqlnd
 Status: Open
 Type:   Bug
 Package:MySQLi related
 Operating System:   ubuntu 10
 PHP Version:5.3.9
 Block user comment: N
 Private report: N

 New Comment:

i recomplie my php with old style 
--with-mysqli=/usr/local/mysql/bin/mysql_config' 

the sql is safe and execute ok.

so the bug is : mysqlnd not parse some multibyte word.
this can be sql injection problem.

i hope my english is enough to explain this bug clearly..  -_-!


Previous Comments:

[2012-01-16 05:50:24] xiaqii at gmail dot com

Description:

some Multibyte word contain \ ASCII code didn't been escaped.

Test script:
---
$link=mysqli_connect();
$var="æµ·è³";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///


Expected result:

sql injection

Actual result:
--
it is dangerous.
my reply table has been update to all one word because this..






-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60765&edit=1

[PHP-BUG] Bug #60765 [NEW]: mysqli_real_escape_string not work while use mysqlnd

2012-01-15 Thread xiaqii at gmail dot com

From: 
Operating system: ubuntu 10
PHP version:  5.3.9
Package:  MySQLi related
Bug Type: Bug
Bug description:mysqli_real_escape_string not work while use mysqlnd

Description:

some Multibyte word contain \ ASCII code didn't been escaped.

Test script:
---
$link=mysqli_connect();
$var="æµ·è³";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///


Expected result:

sql injection

Actual result:
--
it is dangerous.
my reply table has been update to all one word because this..

-- 
Edit bug report at https://bugs.php.net/bug.php?id=60765&edit=1
-- 
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=60765&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=60765&r=trysnapshot53
Try a snapshot (trunk):  
https://bugs.php.net/fix.php?id=60765&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=60765&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=60765&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=60765&r=alreadyfixed
Need backtrace:  
https://bugs.php.net/fix.php?id=60765&r=needtrace
Need Reproduce Script:   
https://bugs.php.net/fix.php?id=60765&r=needscript
Try newer version:   
https://bugs.php.net/fix.php?id=60765&r=oldversion
Not developer issue: 
https://bugs.php.net/fix.php?id=60765&r=support
Expected behavior:   
https://bugs.php.net/fix.php?id=60765&r=notwrong
Not enough info: 
https://bugs.php.net/fix.php?id=60765&r=notenoughinfo
Submitted twice: 
https://bugs.php.net/fix.php?id=60765&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=60765&r=globals
PHP 4 support discontinued:  
https://bugs.php.net/fix.php?id=60765&r=php4
Daylight Savings:https://bugs.php.net/fix.php?id=60765&r=dst
IIS Stability:   
https://bugs.php.net/fix.php?id=60765&r=isapi
Install GNU Sed: 
https://bugs.php.net/fix.php?id=60765&r=gnused
Floating point limitations:  
https://bugs.php.net/fix.php?id=60765&r=float
No Zend Extensions:  
https://bugs.php.net/fix.php?id=60765&r=nozend
MySQL Configuration Error:   
https://bugs.php.net/fix.php?id=60765&r=mysqlcfg

Bug #60765 [Com]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

Bug #60765 [Com]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

Bug #60765 [Opn]: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

[PHP-BUG] Bug #60765 [NEW]: mysqli_real_escape_string not work while use mysqlnd

4 matches

Site Navigation

Mail list logo

Footer information