Does mysql_real_escape_string() FULLY protect against SQL injection?

by

According to Stefan Esser, mysql_real_escape_string() [is] not safe when SET NAMES is used.”

His explanation, from his blog:

SET NAMES is usually used to switch the encoding from what is default to what the application needs.
This is done in a way that mysql_real_escape_string doesn’t know about this. This means if you switch to some multi byte encoding that allows backslash as 2nd 3rd 4th… byte you run into trouble, because mysql_real_escape_string doesn’t escape correctly. UTF-8 is safe…

Safe way to change encoding is mysql_set_charset, but that is only available in new PHP versions

He does mention that UTF-8 is safe, though.

More Related Contents:

  1. How can I prevent SQL injection in PHP?
  2. SQL injection that gets around mysql_real_escape_string()
  3. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  4. Reference: What is a perfect code sample using the MySQL extension? [closed]
  5. SQL injections in ADOdb and general website security
  6. Is mysql_real_escape_string() broken?
  7. Why is using a mysql prepared statement more secure than using the common escape functions?
  8. how safe are PDO prepared statements
  9. Shortcomings of mysql_real_escape_string?
  10. Do I have to guard against SQL injection if I used a dropdown?
  11. MySQL Prepared Statements
  12. Do I have to use mysql_real_escape_string if I bind parameters?
  13. Is mysql_real_escape_string enough to Anti SQL Injection?
  14. What is the PDO equivalent of function mysql_real_escape_string?
  15. How to create this type of JSON data from PHP [closed]
  16. how to write php code for the key press enter button when fill the form?
  17. Create hyperlink from html table row to open record on a new page
  18. mysql_fetch_array(): supplied argument is not a valid MySQL result resource [duplicate]
  19. SELECT COUNT(*) AS count – How to use this count
  20. How to execute two mysql queries as one in PHP/MYSQL?
  21. How to upload images into MySQL database using PHP code
  22. selecting unique values from a column
  23. How to display an BLOB image stored in MySql database?
  24. How to bind LIKE values using the PDO extension?
  25. How do I set the selected item in a drop down box
  26. Fatal error: Call to undefined function mysqli_result()
  27. WordPress Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /wp-includes/wp-db.php:1570
  28. How can I employ “if exists” for creating or dropping an index in MySQL?
  29. PHP MySQL pagination with random ordering
  30. MYSQL select a piece of a string and order by that piece

Leave a Comment