php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60765 mysqli_real_escape_string not parse multibyte word safe while use mysqlnd
Submitted: 2012-01-16 05:50 UTC Modified: 2012-01-26 10:02 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: xiaqii at gmail dot com Assigned: uw (profile)
Status: Not a bug Package: MySQLi related
PHP Version: 5.3.9 OS: ubuntu 10
Private report: No CVE-ID: None
 [2012-01-16 05:50 UTC] xiaqii at gmail dot com
Description:
------------
some Multibyte word contain \ ASCII code didn't been escaped.

Test script:
---------------
$link=mysqli_connect(............);
$var="海賊";
$var=mysqli_real_escape_string($link,$var);
mysqli_query($link,"INSERT INTO table SET manga_name='$var'");
///////////////////////////////////////////////////


Expected result:
----------------
sql injection

Actual result:
--------------
it is dangerous.
my reply table has been update to all one word because this..

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-16 06:19 UTC] xiaqii at gmail dot com
i recomplie my php with old style --with-mysqli=/usr/local/mysql/bin/mysql_config' 

the sql is safe and execute ok.

so the bug is : mysqlnd not parse some multibyte word.
this can be sql injection problem.

i hope my english is enough to explain this bug clearly..  -_-!
 [2012-01-16 06:19 UTC] xiaqii at gmail dot com
-Summary: mysqli_real_escape_string not work while use mysqlnd +Summary: mysqli_real_escape_string not parse multibyte word safe while use mysqlnd
 [2012-01-22 19:44 UTC] rasmus@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: uw
 [2012-01-26 02:48 UTC] xiaqii at gmail dot com
my site's charset is GBK
 [2012-01-26 10:02 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You have to call mysqli_set_charset() to set the correct encoding so PHP and the MySQL server know hat data to expect and how to interpret it.
 [2012-01-26 10:02 UTC] johannes@php.net
-Status: Assigned +Status: Bogus
 [2012-01-29 08:31 UTC] xiaqii at gmail dot com
i do set charset with
$dbcharset="GBK";
mysqli_query($this->linkID, "SET character_set_connection=$dbcharset, character_set_results=$dbcharset, character_set_client=binary") or $this->error("set names error");


and my mysqlserver's default charset in my.cnf is also "GBK"
i'll retest it ASAP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 06:01:28 2024 UTC