According to Stefan Esser, “mysql_real_escape_string()
[is] not safe when SET NAMES
is used.”
His explanation, from his blog:
SET NAMES is usually used to switch the encoding from what is default to what the application needs.
This is done in a way thatmysql_real_escape_string
doesn’t know about this. This means if you switch to some multi byte encoding that allows backslash as 2nd 3rd 4th… byte you run into trouble, becausemysql_real_escape_string
doesn’t escape correctly. UTF-8 is safe…Safe way to change encoding is
mysql_set_charset
, but that is only available in new PHP versions
He does mention that UTF-8 is safe, though.