JanTvrdik
commented
9 years ago @dg Any thoughts? What would you recommend to people who use Nette?
Open JanTvrdik opened 9 years ago
JanTvrdik
commented
9 years ago @dg Any thoughts? What would you recommend to people who use Nette?
dg
commented
9 years ago utf8mb4 enabled, thx for suggestion https://github.com/nette/database/commit/79886631edf37c27f079814bd2de417cb577c7fe
dg
commented
9 years ago | strict | nonstrict | note | |
|---|---|---|---|
| names utf8, table utf8 | error 1366 | truncates string | for all < 5.5.3 users |
| names utf8mb4, table utf8 | error 1366 | replaces with ? |
for nearly all >= 5.5.3 users |
| names utf8, table utf8mb4 | error 1366 | replaces with ???? |
fixed by https://github.com/nette/database/commit/79886631edf37c27f079814bd2de417cb577c7fe |
To remove characters on input is like magic quotes. It sould be solved on Database level, invalid character can be optionally converted to '?'.
MySQL's
utf8encoding does not support characters above U+FFFF. Usingutf8encoding and not removing characters above U+FFFF can be used to bypass input validation. You can for example use this to bypass minimum length requirement for thread title on Nette forum. See excellent presentation Hacking with Unicode for more practical examples.Applications must either use
utf8mb4encoding (which supports full UTF-8) or remove all characters above U+FFFF. I think that Nette should support both approaches.We should certainly allow removing characters above U+FFFF in RequestFactory and either make it default or change default encoding in Nette\Database to
utf8mb4.Note: utf8mb4 encoding is available since MySQL 5.5.3 (2010-03-24)