Re: Resolution for ver_export()/addslashes() encoding based script execution attack?
Hi Lester,
On Wed, Feb 26, 2014 at 6:03 PM, Lester Caine <[email protected]> wrote:
> Yasuo Ohgaki wrote:
>
>> As you know, all databases' escaping functions have encoding parameter.
>> PostgreSQL uses encoding parameter stored in db connection structure. This
>> is the reason why pg_escape_string() has optional database base connection
>> parameter for escaping.
>>
>
> On the whole any database access I'm doing with Firebird is done using
> parameters which are handled in the database connection rather than having
> to worry about many of these sorts of 'protections'. The result for me is
> that I don't have to worry about many of the problems the more lax handling
> of data in MySQL can create. But the more important thing here is that I've
> not used a 'locale' other than UTF8 for websites for many years and so the
> whole underlying structure needs fixing rather than trying to patch small
> areas that are better handled by doing the job correctly in the first place!
We cannot force users to use Unicode for database/file/etc ;)
I'm not proposing use of locale, but new escape API that support multibyte
encoding.
Regards,
--
Yasuo Ohgaki
[email protected]
Thread (20 messages)