mysql_real_escape_string is not enough


Most developers worth their income know this already, but I've never seen it explained as well as it was by Alex Nikitin on the PHP-General mailing list yesterday.

This was fine in the days of ASCII, but the tubes are hardly ASCII anymore, with Unicode, UTF-16, i have 1,112,064 code points, they are not even called characters anymore, because they really aren't. And if you are familiar with best-fit mapping, you would know that there are now dozens of characters that can represent any single symbol in ASCII, meaning that using the above type of blocking mechanisms is silly and technically insecure.

Alex goes on to suggest a couple of ways around this problem, so the full email is well worth reading:

blog comments powered by Disqus