NYCPHP Meetup

[Darian Anthony Patrick]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good afternoon all,

I have several questions regarding mysql_real_escape_string (and the like).

When default_charset is not set in php.ini, it appears that PHP has no
fallback default.  Am I wrong in this thinking?  Is UTF-8 the default?

It seems best practice would dictate using the same charset from
persistent storage (ie., tables defined as utf8_unicode_ci), through to
HTML output (Content-type header, meta tag).  But what about cases where
the database needs to use UTF-8, but a front-end is being written that
does not?

What is the behavior of mysql_real_escape_string when default_charset is
not defined?

Also, how does one define charset (as it pertains to
mysql_real_escape_string) at runtime?

And could anyone direct me to (or incant) a working exploit that takes
advantage of the default_charset not being defined, or being defined
incorrectly?

I've been doing my homework on this, but am coming up with insufficient
information on this topic.

Thanks very much everyone,

Darian
- --
Darian Anthony Patrick
Principal, Application Development
Criticode LLC
(215) 240-6566 Office
(866) 789-2992 Facsimile
Web:   http://criticode.com
Email: darian at criticode.com
JID:   darian at jabber.criticode.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF8ak2KpzEXPWA4IcRAod5AJ4rbPBTfe8Iab0acgquiC5w5Z5dJQCfaHe1
rWkQ7klGR7XFp3CmG7QuoYc=
=He9m
-----END PGP SIGNATURE-----