On 05/14/2007 09:54 PM, Scott MacVicar wrote:
It's similar to SET NAMES but isn't identical, the SQL statement can't
update the internal character encoding on the client. This causes
mysql_real_escape_string to perform incorrectly and can lead to data
being incorrectly escaped.
This in turn can lead to SQL Injections when you change from a single
byte character set (latin1) which is the default to a multibyte
character set.
In regards to ext/mysql and ext/mysqli, most hosts don't know the
difference and only enable ext/mysql, instead allow users to protect
themselves or deprecate ext/mysql.
Requiring PHP 5.2.3 instead of requiring MySQLi looks like a nonsense to me.
--
Wbr,
Antony Dovgal
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
