Re: Making addslashes() multibyte aware

From:	Yasuo Ohgaki	Date:	Mon, 16 Dec 2013 20:44:02 +0000
Subject:	Re: Making addslashes() multibyte aware
References:	1	Groups:	php.internals
Request:	Send a blank email to internals+get-70674@lists.php.net to get a copy of this message

Hi all,

On Sat, Dec 14, 2013 at 1:22 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> escapeshellargs()/fgetcsv() have multibyte char support via mblen() which
> depends on LC_TYPE, but addslashes() don't take into count MBCS at all.
>
> addslashes() could behave like escapeshellargs(). Current addslashes()
> is not usable with SJIS/BIG5/etc.
>
> Depending on locale is problematic. Is it safe with multi threaded SAPI?
> Using mbstring feature and introduce encoding php.ini setting might be
> better.
>
> Any comment making addslashes() locale aware? and/or current
> escapeshellargs()/fgetcsv() implementation?
>

I don't think locale based MBCS support is optimum, but I'll add it to
addslashes() for now.

Question is where should I start?
It's security issue for certain char encodings such as SJIS/BIG5.

I'll fix php_addslashes(). Therefore, any functions that use it internally
are affected. e.g. var_export(), etc. Users are not affected as long as
they are using correct locale.

Should I fix this from 5.3?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net


   

Thread (7 messages)

• Yasuo OhgakiSat, 14 Dec 2013 04:22:38 +0000
  • Yasuo OhgakiMon, 16 Dec 2013 20:44:02 +0000Re: Making addslashes() multibyte aware
    • Adam HarveyMon, 16 Dec 2013 20:54:30 +0000Re: Re: Making addslashes() multibyte aware
      • Yasuo OhgakiMon, 16 Dec 2013 21:41:39 +0000
        • Sherif RamadanMon, 16 Dec 2013 22:13:07 +0000
          • Yasuo OhgakiMon, 16 Dec 2013 22:38:07 +0000
            • Yasuo OhgakiMon, 16 Dec 2013 22:49:10 +0000