PHP :: Bug #60765 :: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

Bug #60765

mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

Submitted:

2012-01-16 05:50 UTC

Modified:

2012-01-26 10:02 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

xiaqii at gmail dot com

Assigned:

uw (profile)

Status:

Not a bug

Package:

MySQLi related

PHP Version:

5.3.9

OS:

ubuntu 10

Private report:

CVE-ID:

None

View Developer Edit

[2012-01-16 05:50 UTC] xiaqii at gmail dot com

Description:
------------
some Multibyte word contain \ ASCII code didn't been escaped.

Test script:
---------------
$link=mysqli_connect(............);
$var="海賊";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///////////////////////////////////////////////////


Expected result:
----------------
sql injection

Actual result:
--------------
it is dangerous.
my reply table has been update to all one word because this..

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-01-16 06:19 UTC] xiaqii at gmail dot com

i recomplie my php with old style --with-mysqli=/usr/local/mysql/bin/mysql_config' 

the sql is safe and execute ok.

so the bug is : mysqlnd not parse some multibyte word.
this can be sql injection problem.

i hope my english is enough to explain this bug clearly..  -_-!

[2012-01-16 06:19 UTC] xiaqii at gmail dot com

-Summary: mysqli_real_escape_string not work while use mysqlnd +Summary: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd

[2012-01-22 19:44 UTC] rasmus@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: uw

[2012-01-26 02:48 UTC] xiaqii at gmail dot com

my site's charset is GBK

[2012-01-26 10:02 UTC] johannes@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You have to call mysqli_set_charset() to set the correct encoding so PHP and the MySQL server know hat data to expect and how to interpret it.

[2012-01-26 10:02 UTC] johannes@php.net

-Status: Assigned +Status: Bogus

[2012-01-29 08:31 UTC] xiaqii at gmail dot com

i do set charset with
$dbcharset="GBK";
mysqli_query($this->linkID, "SET character_set_connection=$dbcharset, character_set_results=$dbcharset, character_set_client=binary") or $this->error("set names error");


and my mysqlserver's default charset in my.cnf is also "GBK"
i'll retest it ASAP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 16:00:02 2025 UTC