codeigniter -- SQL injection vulnerability

ID B7D785EA-656D-11E5-9909-002590263BF5
Type freebsd
Reporter FreeBSD
Modified 2011-08-20T00:00:00


The CodeIgniter changelog reports:

An improvement was made to the MySQL and MySQLi drivers to prevent exposing a potential vector for SQL injection on sites using multi-byte character sets in the database client connection. An incompatibility in PHP versions < 5.2.3 and MySQL > 5.0.7 with mysql_set_charset() creates a situation where using multi-byte character sets on these environments may potentially expose a SQL injection attack vector. Latin-1, UTF-8, and other "low ASCII" character sets are unaffected on all environments. If you are running or considering running a multi-byte character set for your database connection, please pay close attention to the server environment you are deploying on to ensure you are not vulnerable.