NYCPHP Meetup

NYPHP.org

[nycphp-talk] mysql_real_escape_string and setting of charset

Darian Anthony Patrick darian at criticode.com
Fri Mar 9 13:47:38 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To clarify, I'm unclear as to what "connection" means in

"Escapes special characters in the unescaped_string, taking into account
the current character set of the connection so that it is safe to place
it in a mysql_query()." -
http://us3.php.net/manual/en/function.mysql-real-escape-string.php

I'm guessing it's the charset of the MySQL client
(http://us3.php.net/manual/en/function.mysql-client-encoding.php)
connection.

Darian Anthony Patrick wrote:
> Good afternoon all,
> 
> I have several questions regarding mysql_real_escape_string (and the like).
> 
> When default_charset is not set in php.ini, it appears that PHP has no
> fallback default.  Am I wrong in this thinking?  Is UTF-8 the default?
> 
> It seems best practice would dictate using the same charset from
> persistent storage (ie., tables defined as utf8_unicode_ci), through to
> HTML output (Content-type header, meta tag).  But what about cases where
> the database needs to use UTF-8, but a front-end is being written that
> does not?
> 
> What is the behavior of mysql_real_escape_string when default_charset is
> not defined?
> 
> Also, how does one define charset (as it pertains to
> mysql_real_escape_string) at runtime?
> 
> And could anyone direct me to (or incant) a working exploit that takes
> advantage of the default_charset not being defined, or being defined
> incorrectly?
> 
> I've been doing my homework on this, but am coming up with insufficient
> information on this topic.
> 
> Thanks very much everyone,
> 
> Darian
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

- --
Darian Anthony Patrick
Principal, Application Development
Criticode LLC
(215) 240-6566 Office
(866) 789-2992 Facsimile
Web:   http://criticode.com
Email: darian at criticode.com
JID:   darian at jabber.criticode.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF8avKKpzEXPWA4IcRAvnGAJ4l4kH3lfOQG8ITEVoe2/2APg6nqQCfWuk+
EMV5UELYGlA7ZFioUNplyO4=
=S7bl
-----END PGP SIGNATURE-----

More information about the talk mailing list