MySQL Lists: commits: svn commit - mysqldoc@docsrva: r1713 - in trunk: refman-4.1 refman-5.0 refman-5.1

List:	Commits	« Previous Message Next Message »
From:	stefan	Date:	March 31 2006 5:12pm
Subject:	svn commit - mysqldoc@docsrva: r1713 - in trunk: refman-4.1 refman-5.0 refman-5.1
View as plain text
Author: shinz
Date: 2006-03-31 17:12:39 +0200 (Fri, 31 Mar 2006)
New Revision: 1713

Log:
Add security advice about PHP functions and multi-byte characters (Serg)

Modified:
   trunk/refman-4.1/database-administration.xml
   trunk/refman-5.0/database-administration.xml
   trunk/refman-5.1/database-administration.xml

Modified: trunk/refman-4.1/database-administration.xml
===================================================================
--- trunk/refman-4.1/database-administration.xml	2006-03-31 08:01:57 UTC (rev 1712)
+++ trunk/refman-4.1/database-administration.xml	2006-03-31 15:12:39 UTC (rev 1713)
@@ -11527,13 +11527,24 @@
 
             <listitem>
               <para>
-                PHP: Use the <literal>mysql_escape_string()</literal>
-                function, which is based on the function of the same
-                name in the MySQL C API. Prior to PHP 4.0.3, use
-                <literal>addslashes()</literal> instead.
+                PHP: Use the 
+                <function>mysql_real_escape_string()</function> function
+                (available as of PHP 4.3.0, prior to that PHP version use
+                <function>mysql_escape_string()</function>, and prior to 
+                PHP 4.0.3, use <function>addslashes()</function> ).
+                Note that only 
+                <function>mysql_real_escape_string()</function> is
+                character set-aware; the other functions can be
+                <quote>bypassed</quote> when using (invalid) multi-byte
+                character sets.
+                In PHP 5 (and as of MySQL 4.1), you
+                can use the <literal>mysqli</literal> extension, which
+                supports the improved MySQL authentication protocol and
+                passwords, as well as prepared statements with
+                placeholders.
               </para>
             </listitem>
-
+            
             <listitem>
               <para>
                 Perl DBI: Use placeholders or the

Modified: trunk/refman-5.0/database-administration.xml
===================================================================
--- trunk/refman-5.0/database-administration.xml	2006-03-31 08:01:57 UTC (rev 1712)
+++ trunk/refman-5.0/database-administration.xml	2006-03-31 15:12:39 UTC (rev 1713)
@@ -14053,17 +14053,24 @@
 
             <listitem>
               <para>
-                PHP: Use the <literal>mysql_escape_string()</literal>
-                function, which is based on the function of the same
-                name in the MySQL C API. (Prior to PHP 4.0.3, use
-                <literal>addslashes()</literal> instead.) In PHP 5, you
+                PHP: Use the 
+                <function>mysql_real_escape_string()</function> function
+                (available as of PHP 4.3.0, prior to that PHP version use
+                <function>mysql_escape_string()</function>, and prior to 
+                PHP 4.0.3, use <function>addslashes()</function> ).
+                Note that only 
+                <function>mysql_real_escape_string()</function> is
+                character set-aware; the other functions can be
+                <quote>bypassed</quote> when using (invalid) multi-byte
+                character sets.
+                In PHP 5, you
                 can use the <literal>mysqli</literal> extension, which
                 supports the improved MySQL authentication protocol and
                 passwords, as well as prepared statements with
                 placeholders.
               </para>
             </listitem>
-
+            
             <listitem>
               <para>
                 Perl DBI: Use placeholders or the

Modified: trunk/refman-5.1/database-administration.xml
===================================================================
--- trunk/refman-5.1/database-administration.xml	2006-03-31 08:01:57 UTC (rev 1712)
+++ trunk/refman-5.1/database-administration.xml	2006-03-31 15:12:39 UTC (rev 1713)
@@ -13943,10 +13943,17 @@
 
             <listitem>
               <para>
-                PHP: Use the <literal>mysql_escape_string()</literal>
-                function, which is based on the function of the same
-                name in the MySQL C API. (Prior to PHP 4.0.3, use
-                <literal>addslashes()</literal> instead.) In PHP 5, you
+                PHP: Use the 
+                <function>mysql_real_escape_string()</function> function
+                (available as of PHP 4.3.0, prior to that PHP version use
+                <function>mysql_escape_string()</function>, and prior to 
+                PHP 4.0.3, use <function>addslashes()</function> ).
+                Note that only 
+                <function>mysql_real_escape_string()</function> is
+                character set-aware; the other functions can be
+                <quote>bypassed</quote> when using (invalid) multi-byte
+                character sets.
+                In PHP 5, you
                 can use the <literal>mysqli</literal> extension, which
                 supports the improved MySQL authentication protocol and
                 passwords, as well as prepared statements with
Thread
• svn commit - mysqldoc@docsrva: r1713 - in trunk: refman-4.1 refman-5.0 refman-5.1	stefan	31 Mar