php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #60765 mysqli_real_escape_string not parse multibyte word safe while use mysqlnd
Submitted: 2012-01-16 05:50 UTC Modified: 2012-01-26 10:02 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: xiaqii at gmail dot com Assigned: uw (profile)
Status: Not a bug Package: MySQLi related
PHP Version: 5.3.9 OS: ubuntu 10
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: xiaqii at gmail dot com
New email:
PHP Version: OS:

 

 [2012-01-16 05:50 UTC] xiaqii at gmail dot com 
Description:
------------
some Multibyte word contain \ ASCII code didn't been escaped.

Test script:
---------------
$link=mysqli_connect(............);
$var="海賊";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///////////////////////////////////////////////////


Expected result:
----------------
sql injection

Actual result:
--------------
it is dangerous.
my reply table has been update to all one word because this..

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-16 06:19 UTC] xiaqii at gmail dot com 
i recomplie my php with old style --with-mysqli=/usr/local/mysql/bin/mysql_config' 

the sql is safe and execute ok.

so the bug is : mysqlnd not parse some multibyte word.
this can be sql injection problem.

i hope my english is enough to explain this bug clearly..  -_-!
 [2012-01-16 06:19 UTC] xiaqii at gmail dot com
-Summary: mysqli_real_escape_string not work while use mysqlnd +Summary: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd
 [2012-01-22 19:44 UTC] rasmus@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: uw
 [2012-01-26 02:48 UTC] xiaqii at gmail dot com 
my site's charset is GBK
 [2012-01-26 10:02 UTC] johannes@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You have to call mysqli_set_charset() to set the correct encoding so PHP and the MySQL server know hat data to expect and how to interpret it.
 [2012-01-26 10:02 UTC] johannes@php.net
-Status: Assigned +Status: Bogus
 [2012-01-29 08:31 UTC] xiaqii at gmail dot com 
i do set charset with
$dbcharset="GBK";
mysqli_query($this->linkID, "SET character_set_connection=$dbcharset, character_set_results=$dbcharset, character_set_client=binary") or $this->error("set names error");


and my mysqlserver's default charset in my.cnf is also "GBK"
i'll retest it ASAP.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed May 07 03:01:27 2025 UTC