Re: Resolution for ver_export()/addslashes() encoding based script execution attack?
Yasuo Ohgaki wrote:
As you know, all databases' escaping functions have encoding parameter.
PostgreSQL uses encoding parameter stored in db connection structure. This
is the reason why pg_escape_string() has optional database base connection
parameter for escaping.
On the whole any database access I'm doing with Firebird is done using parameters which are handled in the database connection rather than having to worry about many of these sorts of 'protections'. The result for me is that I don't have to worry about many of the problems the more lax handling of data in MySQL can create. But the more important thing here is that I've not used a 'locale' other than UTF8 for websites for many years and so the whole underlying structure needs fixing rather than trying to patch small areas that are better handled by doing the job correctly in the first place!
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
Thread (20 messages)