MySQL Forums
Forum List  »  General

SQL injection and multibyte encoding processing
Posted by: Fred Fredricks
Date: May 31, 2006 07:23PM

Hi,

The recent announcement of 4.1.20 (and others) warns that:

> when character set unaware escaping is used (e.g.,
> addslashes() in PHP), it is possible to bypass it
> in some multibyte character sets (e.g., SJIS, BIG5
> and GBK). As a result, a function like addslashes()
> is not able to prevent SQL injection attacks. It is
> impossible to fix this on the server side.

We have an apache server in front of Perl in front of MySQL 4.1, and we don't care about allowing multibyte encoding at all. Is there any way, from the Apache side, the Perl side, or the MySQL configuration, that we can tell it to just deal with single-byte encodings, avoiding this problem without changing the backslash-escaping method we have used all over the place?

I understand the suggested fix, but if I can protect us from the problem in a simpler way, that makes more sense for our (and I suspect others') situation.

Thanks,
Fred

Options: ReplyQuote


Subject
Written By
Posted
SQL injection and multibyte encoding processing
May 31, 2006 07:23PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.