Does mysql_real_escape_string() FULLY protect against SQL injection?
On http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/?akst_action=share-this , there is a section that claims you can bypass mysql_real_escape_string with certain Asian character encodings
Bypassing mysql_real_escape_string() with BIG5 or GBK
"injection string"
に関する追加情報:the above chars are Chinese Big5
Is this really true? And if so, how would you protect your website against this, if you had no access to prepared statements?
Answer
According to Stefan Esser, "mysql_real_escape_string() [is] not safe when SET NAMES is used."
His explanation, from his blog:
SET NAMES is usually used to switch the encoding from what is default to what the application needs. This is done in a way that
mysql_real_escape_stringdoesn’t know about this. This means if you switch to some multi byte encoding that allows backslash as 2nd 3rd 4th… byte you run into trouble, becausemysql_real_escape_stringdoesn’t escape correctly. UTF-8 is safe…Safe way to change encoding is
mysql_set_charset, but that is only available in new PHP versions
He does mention that UTF-8 is safe, though.