Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72818 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57876 invoked from network); 26 Feb 2014 09:21:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2014 09:21:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.181 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.181 mail-lb0-f181.google.com Received: from [209.85.217.181] ([209.85.217.181:60752] helo=mail-lb0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AA/5B-28538-F22BD035 for ; Wed, 26 Feb 2014 04:21:52 -0500 Received: by mail-lb0-f181.google.com with SMTP id c11so412193lbj.26 for ; Wed, 26 Feb 2014 01:21:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=pY2UdsYy4UQ5daknyk3R1xfdI5e48XksX/P4yLNYbNQ=; b=PS1upBxbO/wUqRq9hHdfafWxPXqyk73CdIZl9fj9DuOFP7d67lCyfArkc2Eci44Rzx tuD/tMRwv5CMfxEyMQmzqyoqjL+AQ8kJCfEpfwfd9oZLrVc+Amx5yXE2MvsItiH8M+lJ cHR5FXsRFXROGDgF6AWhsj+ZUHlGpbWohEzLS1x7LHxjFawwQXr4vLNZRv5itt9gK2Jv 5I/VxfQ4Q8IQcCrrkc18Mq3AdHEw6AY29QzOvf+T0XiLY5U3mHV542nlN+P90dwTvLDY 61CqAt3+PQoxHCkyXWvmcjpaefvhbEt9AbndcbFjRkBdtz9M9I2hx8afJ7kG18WT8Tgk ildg== X-Received: by 10.152.234.3 with SMTP id ua3mr443561lac.63.1393406508104; Wed, 26 Feb 2014 01:21:48 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Wed, 26 Feb 2014 01:21:08 -0800 (PST) In-Reply-To: <530DADC7.2070302@lsces.co.uk> References: <530C3C7B.8080907@sugarcrm.com> <530C77F8.2060809@sugarcrm.com> <1393328380.5233.45.camel@guybrush> <530DADC7.2070302@lsces.co.uk> Date: Wed, 26 Feb 2014 18:21:08 +0900 X-Google-Sender-Auth: u0MKLW7VCMgA6J2vE3WE20D2JGQ Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1134342cf1827104f34bbb6f Subject: Re: [PHP-DEV] Resolution for ver_export()/addslashes() encoding based script execution attack? From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1134342cf1827104f34bbb6f Content-Type: text/plain; charset=UTF-8 Hi Lester, On Wed, Feb 26, 2014 at 6:03 PM, Lester Caine wrote: > Yasuo Ohgaki wrote: > >> As you know, all databases' escaping functions have encoding parameter. >> PostgreSQL uses encoding parameter stored in db connection structure. This >> is the reason why pg_escape_string() has optional database base connection >> parameter for escaping. >> > > On the whole any database access I'm doing with Firebird is done using > parameters which are handled in the database connection rather than having > to worry about many of these sorts of 'protections'. The result for me is > that I don't have to worry about many of the problems the more lax handling > of data in MySQL can create. But the more important thing here is that I've > not used a 'locale' other than UTF8 for websites for many years and so the > whole underlying structure needs fixing rather than trying to patch small > areas that are better handled by doing the job correctly in the first place! We cannot force users to use Unicode for database/file/etc ;) I'm not proposing use of locale, but new escape API that support multibyte encoding. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1134342cf1827104f34bbb6f--