Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Possible Duplicate:
PHP’s mysql_real_escape_string and MySQL Injection
This is the character in question:
\x1A
Why does it pose a threat and what is it? Googling says it’s a control character but I don’t understand what that means, especially in the context of escaping data.
Thanks
0x1Ais ctrl-z, which in DOS days was used as an EOF (end-of-file) marker. While it shouldn’t be a problem on any modern database, it could have been used to sneak extra query statements past an old dos-days SQL parser, so you’d end up with something like:A stupid parser would stop at the ctrl-z, thinking “hey, look, it’s the end of the file”. The entire string would be passed to the DB, and if it was a “smart” db, would ignore the ctrl-z and happily execute the drop command