SQL injection and multibyte encoding processing
Hi,
The recent announcement of 4.1.20 (and others) warns that:
> when character set unaware escaping is used (e.g.,
> addslashes() in PHP), it is possible to bypass it
> in some multibyte character sets (e.g., SJIS, BIG5
> and GBK). As a result, a function like addslashes()
> is not able to prevent SQL injection attacks. It is
> impossible to fix this on the server side.
We have an apache server in front of Perl in front of MySQL 4.1, and we don't care about allowing multibyte encoding at all. Is there any way, from the Apache side, the Perl side, or the MySQL configuration, that we can tell it to just deal with single-byte encodings, avoiding this problem without changing the backslash-escaping method we have used all over the place?
I understand the suggested fix, but if I can protect us from the problem in a simpler way, that makes more sense for our (and I suspect others') situation.
Thanks,
Fred
Subject
Written By
Posted
SQL injection and multibyte encoding processing
May 31, 2006 07:23PM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.