-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thanks Chris. That was helpful.
Chris Shiflett wrote:
> Darian Anthony Patrick wrote:
>> And could anyone direct me to (or incant) a working exploit that
>> takes advantage of the default_charset not being defined, or
>> being defined incorrectly?
>
Darian Anthony Patrick wrote:
> And could anyone direct me to (or incant) a working exploit that
> takes advantage of the default_charset not being defined, or
> being defined incorrectly?
I wrote this one a while ago:
http://shiflett.org/archive/184
It doesn't answer all of your questions, but
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
To clarify, I'm unclear as to what "connection" means in
"Escapes special characters in the unescaped_string, taking into account
the current character set of the connection so that it is safe to place
it in a mysql_query()." -
http://us3.php.net/manu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Good afternoon all,
I have several questions regarding mysql_real_escape_string (and the like).
When default_charset is not set in php.ini, it appears that PHP has no
fallback default. Am I wrong in this thinking? Is UTF-8 the default?
It seems be
> Don't forget, it's not just humans behind web browsers that we have to
worry about.
Those dreaded Romulans and Klingons...
___
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
ht
On 10/31/06, David Krings <[EMAIL PROTECTED]> wrote:
> I can't think of any way on how to get \x1a as user input
Simple. Write a php script that connects to your server and sends \x1a as input.
:-)
Don't forget, it's not just humans behind web browsers that we have to
worry about.
___
David Krings wrote:
> Dan Cech wrote:
>> What you're failing to consider here is the character set of the active
>> mysql connection. Correct me if I'm wrong, but it is my understanding
>> that mysql_real_escape_string does not incur an extra trip to the
>> database, the escaping still occurs with
Dan Cech wrote:
> What you're failing to consider here is the character set of the active
> mysql connection. Correct me if I'm wrong, but it is my understanding
> that mysql_real_escape_string does not incur an extra trip to the
> database, the escaping still occurs within php, but it takes into
David Krings wrote:
> Hi,
>
> my guess is that some of the characters escaped using the mysql
> escaping cannot be reasonably expected to come in from user input.
> Mysql_real_escape_string escapes all these:
> \x00, \n, \r, \, ', " and \x1a
> but I can't think of any way on how to get \
ended.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of David Krings
Sent: Tuesday, October 31, 2006 7:22 PM
To: NYPHP Talk
Subject: Re: [nyphp-talk] mysql_real_escape_string WAS: Mysql question!
Hi,
my guess is that some of the characters escaped using the
Hi,
my guess is that some of the characters escaped using the mysql
escaping cannot be reasonably expected to come in from user input.
Mysql_real_escape_string escapes all these:
\x00, \n, \r, \, ', " and \x1a
but I can't think of any way on how to get \x1a as user input
(assuming that
Hi,
from my experience, addslashes does the trick for the most part, but
mysql_real_escape_string is indeed the better one to use as it does
cover all possible (not only the likely) characters that could get MySQL
and its user in hot water.
From a practical viewpoint I'd just say both w
more mips than its
worth?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rob Marscher
Sent: Tuesday, October 31, 2006 3:27 PM
To: NYPHP Talk
Subject: Re: [nyphp-talk] mysql_real_escape_string WAS: Mysql question!
A side note here about mysql_real_escape_string -
Cool... I thought Chris might have something on this. The previous
chapter is all about unicode/utf-8 - why you should use it, how you make
sure that your input is valid utf-8, etc... so maybe he was making the
statement in that context where everything has already been converted to
valid utf-
> I'm currently reading "Building Scalable Web Sites" by Cal Henderson
> (which I think is great so far for anyone making large [or potentially
> large] web apps). In the section about avoiding sql injection attacks,
> he says "the more complicated mysql_real_escape_string escapes a bunch
> more c
So are their any real tangible advantages to mysql_real_escape_string as
opposed to addslashes?
-Brian
Rob Marscher wrote:
> A side note here about mysql_real_escape_string - curious if anyone is
> an expert on this... In that last year, I switched over from using
> addslashes to using mysql_
A side note here about mysql_real_escape_string - curious if anyone is
an expert on this... In that last year, I switched over from using
addslashes to using mysql_real_escape_string to escape strings in sql
statements because it's the 'right thing to do.'
I'm currently reading "Building Scala
17 matches
Mail list logo
