Re: Resolution for ver_export()/addslashes() encoding based script execution attack?

From:	Lester Caine	Date:	Wed, 26 Feb 2014 12:32:06 +0000
Subject:	Re: Resolution for ver_export()/addslashes() encoding based script execution attack?
References:	1 2 3 4 5 6 7 8 9 10	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Yasuo Ohgaki wrote:
        As you know, all databases' escaping functions have encoding parameter.
        PostgreSQL uses encoding parameter stored in db connection structure. This
        is the reason why pg_escape_string() has optional database base connection
        parameter for escaping.


    On the whole any database access I'm doing with Firebird is done using
    parameters which are handled in the database connection rather than having
    to worry about many of these sorts of 'protections'. The result for me is
    that I don't have to worry about many of the problems the more lax handling
    of data in MySQL can create. But the more important thing here is that I've
    not used a 'locale' other than UTF8 for websites for many years and so the
    whole underlying structure needs fixing rather than trying to patch small
    areas that are better handled by doing the job correctly in the first place!


We cannot force users to use Unicode for database/file/etc ;)
I'm not proposing use of locale, but new escape API that support multibyte
encoding.

My point Yasuo is that I think the reason this has been rejected is simply because there needs to be a more comprehensive review of how 'multi_byte' characters are handled? There needs to be at least some agreement moving forward if PHP should be made fully UTF-8 complaint or the alternative 'ASCII only' for code, so that perhaps 'mb_' SHOULD be the only way to handle multi byte strings? Short term fixes are just exacerbating the real problem? Also I don't see how the RFC addressed the problem anyway. While I use UTF-8 output exclusively I've not had to resort to mbstring extension to do so yet so would not even use the extra functions in normal production.

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk


   

Thread (20 messages)

• Yasuo OhgakiMon, 24 Feb 2014 09:41:03 +0000
  • Nikita PopovMon, 24 Feb 2014 11:07:05 +0000
    • Yasuo OhgakiTue, 25 Feb 2014 05:07:02 +0000
      • Stas MalyshevTue, 25 Feb 2014 06:47:23 +0000
        • Yasuo OhgakiTue, 25 Feb 2014 10:36:11 +0000
          • Stas MalyshevTue, 25 Feb 2014 11:01:12 +0000
            • Johannes SchlüterTue, 25 Feb 2014 11:39:40 +0000
              • Yasuo OhgakiWed, 26 Feb 2014 06:15:01 +0000
                • Lester CaineWed, 26 Feb 2014 09:03:03 +0000
                  • Yasuo OhgakiWed, 26 Feb 2014 09:21:08 +0000
                    • Lester CaineWed, 26 Feb 2014 12:32:06 +0000
                      • Yasuo OhgakiWed, 26 Feb 2014 22:28:23 +0000
                        • Pádraic BradyThu, 27 Feb 2014 22:22:47 +0000
                          • Yasuo OhgakiThu, 27 Feb 2014 23:08:19 +0000
                            • Pierre JoyeFri, 28 Feb 2014 00:28:39 +0000
              • Stas MalyshevWed, 26 Feb 2014 11:52:40 +0000
                • Yasuo OhgakiWed, 26 Feb 2014 21:23:32 +0000
                  • Stas MalyshevFri, 28 Feb 2014 18:57:29 +0000
                    • Yasuo OhgakiSat, 01 Mar 2014 00:19:41 +0000
            • Yasuo OhgakiWed, 26 Feb 2014 05:25:45 +0000