tags:

views:

58

answers:

2
+2  Q: 

Security issue / sql injection with mysql collation?

Perhaps I don't have enough of an understanding of this yet, so I'm looking for a little direction.

All of our tables show a collation of latin1_swedish_ci. Here's what I see in the mysql variables:

collation connection utf8_general_ci
(Global value) latin1_swedish_ci
collation database latin1_swedish_ci
collation server latin1_swedish_ci

Now, we see utf8 (or, at least, foreign language content) stored in the db pretty frequently, and it renders correctly. Does the collation not matter for this?

Using something like php addslashes() on user input - is this sufficient? Or, does this leave an injection opportunity?

EDIT: So, looking at the full set of collation / charset settings, at least in phpmyadmin, I see:

character set client    utf8
(Global value)  latin1
character set connection    utf8
(Global value)  latin1
character set database  latin1
character set filesystem    binary
character set results   utf8
(Global value)  latin1
character set server    latin1
character set system    utf8
character sets dir  /usr/share/mysql/charsets/
collation connection    utf8_general_ci
(Global value)  latin1_swedish_ci
collation database  latin1_swedish_ci
collation server    latin1_swedish_ci
+2  A: 

The collation does only describe rules for comparing characters of a certain character set. One rule could be that a is equal A, b is equal B, etc. or that ß is equal to ss, ä is equal to ae, etc.

And for an explicit escaping of strings for MySQL, use mysql_real_escape_string. This function does in opposite to addslashes and mysql_escape_string take the actual character encoding of the connection into account.

But you need to set the character encoding of the connection with mysql_set_charset. Because otherwise a change will not be recognized (see C API Functions Description – mysql_real_escape_string()):

If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.

Gumbo  2010-09-08 08:20:09
+1 this is the correct answer. although adodb and pdo use mysql_escape_string() and everyone loves parametrized queries...
Rook  2010-09-08 19:36:42
mysql_real_escape_string doing it's special job only if mysql_set_charset() being used. otherwise it will act as mysql_escape_string
Col. Shrapnel  2010-09-08 19:39:49
@Col. Shrapnel: Didn’t know that. But you’re right, see http://dev.mysql.com/doc/refman/5.0/en/mysql-real-escape-string.html.
Gumbo  2010-09-08 20:38:00
it could be epic fail if utf8 weren't be a standard de-facto :) But it is, and it doesn't require any special attention from real escaping. Thus, mysql_real_escape_string is just overkill in most cases. Not to mention prepared statements which do not being affected by this setting at all.
Col. Shrapnel  2010-09-08 21:11:07
A: 

All of our tables show a collation of latin1_swedish_ci
foreign language content renders correctly

There is something wrong with your database.
It will be either unable to store non-latin characters or unable to order/filter database contents properly.

To store foreign characters, utf8 charset should be set for the tables. As well as connection charset.

Using something like php addslashes() on user input - is this sufficient?

addslashes is sufficient, if your charsets latin1 and utf8 only. But the rest is wrong.

  1. addslashes() or other escaping function do not help alone! It works only with quotes around escaped data. Thus, it should be not just "Using something like addslashes()" but "Using something like addslashes() for quoted strings and type casting for numbers"
  2. Not for user input! Escaping is not for sanitizing! It's just for proper formatting of the query. Any query. With any data. Not only user input, as everyone in this poor world thinks, but for any data (that goes to the query as quoted strings).
Col. Shrapnel  2010-09-08 19:51:16
@Col. Shrapnel: Thanks for the feedback. I included my full charset / collation settings above, not sure what's incorrect. Also, not sure what the settings from my php processes would be, will see if I can figure that out.
Neil  2010-09-08 21:57:31

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL