Does mysql_real_escape_string() FULLY protect against SQL injection?

LM. picture LM. · Aug 3, 2009 · Viewed 12.7k times · Source

On http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/?akst_action=share-this , there is a section that claims you can bypass mysql_real_escape_string with certain Asian character encodings

Bypassing mysql_real_escape_string() with BIG5 or GBK

"injection string"
に関する追加情報:

the above chars are Chinese Big5

Is this really true? And if so, how would you protect your website against this, if you had no access to prepared statements?

Answer

Josh Davis picture Josh Davis · Aug 3, 2009

According to Stefan Esser, "mysql_real_escape_string() [is] not safe when SET NAMES is used."

His explanation, from his blog:

SET NAMES is usually used to switch the encoding from what is default to what the application needs. This is done in a way that mysql_real_escape_string doesn’t know about this. This means if you switch to some multi byte encoding that allows backslash as 2nd 3rd 4th… byte you run into trouble, because mysql_real_escape_string doesn’t escape correctly. UTF-8 is safe…

Safe way to change encoding is mysql_set_charset, but that is only available in new PHP versions

He does mention that UTF-8 is safe, though.