Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72817
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54976 invoked from network); 26 Feb 2014 08:58:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Feb 2014 08:58:59 -0000
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6
Received: from [217.147.176.204] ([217.147.176.204:43460] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 13/EA-28538-FCCAD035 for <internals@lists.php.net>; Wed, 26 Feb 2014 03:58:57 -0500
Received: (qmail 20788 invoked by uid 89); 26 Feb 2014 08:58:42 -0000
Received: by simscan 1.3.1 ppid: 20750, pid: 20771, t: 0.3208s
         scanners: attach: 1.3.1 clamav: 0.96/m:52
Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 26 Feb 2014 08:58:41 -0000
Message-ID: <530DADC7.2070302@lsces.co.uk>
Date: Wed, 26 Feb 2014 09:03:03 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAGa2bXYO=Q3pmYKYOt0qudFtzimrXitJoLcB4KZ80MYJ-nJo0A@mail.gmail.com> <CAF+90c9umjqfiW3780hPjk_LpbyV=fT2t=bXZxWhiSDN-yuiuA@mail.gmail.com> <CAGa2bXZcs-zq7afbY9dqvOcnQ0q1MAC0muO3VNSfxzMnL4_hCg@mail.gmail.com> <530C3C7B.8080907@sugarcrm.com> <CAGa2bXYyxrLXxT812=s_s7zB+En1mfAJy9du90+Yt7OPZYjdvA@mail.gmail.com> <530C77F8.2060809@sugarcrm.com> <1393328380.5233.45.camel@guybrush> <CAGa2bXbNKxNN-j1LoisnvGsUbxk-6ZqNG87zF3BUg1LEHUYcgw@mail.gmail.com>
In-Reply-To: <CAGa2bXbNKxNN-j1LoisnvGsUbxk-6ZqNG87zF3BUg1LEHUYcgw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Resolution for ver_export()/addslashes() encoding based
 script execution attack?
From: lester@lsces.co.uk (Lester Caine)

Yasuo Ohgaki wrote:
> As you know, all databases' escaping functions have encoding parameter.
> PostgreSQL uses encoding parameter stored in db connection structure. This
> is the reason why pg_escape_string() has optional database base connection
> parameter for escaping.

On the whole any database access I'm doing with Firebird is done using 
parameters which are handled in the database connection rather than having to 
worry about many of these sorts of 'protections'. The result for me is that I 
don't have to worry about many of the problems the more lax handling of data in 
MySQL can create. But the more important thing here is that I've not used a 
'locale' other than UTF8 for websites for many years and so the whole underlying 
structure needs fixing rather than trying to patch small areas that are better 
handled by doing the job correctly in the first place!

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk