Is `mysql_real_escape_string()` Truly Safe: Can Asian Character Encodings Bypass its Protection?

Does mysql_real_escape_string() Fully Safeguard Against SQL Injection?

A recent claim circulated that mysql_real_escape_string() can be bypassed with certain Asian character encodings, specifically Big5 and GBK. Is this assertion valid, and if it is, how can you protect your website without resorting to prepared statements?

The Vulnerablity

According to Stefan Esser, mysql_real_escape_string() does present a vulnerability when the SET NAMES command is used. This command alters the character encoding, rendering mysql_real_escape_string() oblivious to certain multi-byte encodings that employ backslashes as additional bytes. This incorrect escaping can compromise your website's security.

Safeguards

While UTF-8 encoding is not susceptible to this exploit, it is essential to use mysql_set_charset to safely alter encodings. This function, however, is only available in newer PHP versions. If you cannot employ prepared statements or mysql_set_charset, you may need to explore alternative methods to protect your website from SQL injection attacks.

The above is the detailed content of Is `mysql_real_escape_string()` Truly Safe: Can Asian Character Encodings Bypass its Protection?. For more information, please follow other related articles on the PHP Chinese website!