Archive for April 2014

Mysql_escape_string: the charset vulnerability

The mysql_escape_string is a deprecated and vulnerable PHP function used to sanitize the user input before it reaches the mysql query. It escapes most of special character that can be used by a malicious user to perform SQLi. This is an exampre of how the function works: root@bt:~# cat /tmp/esc_str.php <?        … (read more)