In order for this to take effect, you need:
1. To "sanitize" SQL injection by quoting parameters and building SQL strings manually
2. Your quoting function needs to be in a language that iterates over multibyte chars properly (i.e., you're not running naively on binary strings)
3. The output multibyte charset must be one of the afflicted charsets (mostly CJK charsets)
4. Your DBMS must be incapable of properly handling the relevant charset, and is instead checking it in a different charset.
Point #4 makes it really hard to envision this ever being a problem, since if you're using a CJK charset on your platform already, you're quite likely to notice very quickly that something is horribly, horribly wrong.
I was thinking the same thing, and does people really still build SQL-strings programmatically in the server application?
Seems like this bad practice should be dead by now, not only does it open up for injection attacks but it also prevents the database from optimizing the query by precompiling, data aggregation and building smarter execution plans.
It should be dead by now, but I had to a move a website done by an agency to a new server. I don't really code PHP, but could see that it was full of concatenated SQL strings.
This is absolutely good advice, but people giving it rarely acknowledge that it isn't always possible.
A particular irritant is that most (all?) db APIs make it impossible to use parametrized queries with IN clauses. I find myself having to implement string escaping functions sooner or later in every project, because of stuff like that.
This is such an irritant. Everyone supports variable size IN clause in the form of a sub-select AFAIK. You should be able to abstract the parsing and have an api to address that. Yet for years its missing and you end up all sorts of garbage under-performing code.
Our current solution is to use of temporary table because other solutions (including dynamically adding parameter in query) makes them unique queries and crashes performance.
Alternatively, you can use a temp table and a join. Not ideal, but still safe from injection and should have roughly the same overhead in the database.
In Postgres until 9.2, the query plan for prepared statements is fixed at prepare time rather than time of execution, so you might end up with worse query plans. It's worth noting that 9.1 is still the version in Ubuntu 12.04, it's only 14.04 that has 9.3.
It should be noted that Postgres offers a repository with the latests versions even for Ubuntu 12.04, so you don't need to upgrade the distro or compile PG yourself to use them.
That's one of the main points of gathering statistics, so the query plan can depend on the values being queried. At least in Oracle, not sure about Postgres. For long running queries it can be a big win.
People may use frameworks which sometimes default to concatenation, even when the ORM makes it look like they're using parameterized queries.
People care more about convenience and fast iteration than security - concatenation is faster and easier, and insecure sites can still make money, so the incentives are on the side of fast, dirty code that works now rather than secure code that works later.
People (this is especially true in the PHP world) may not even know parameterized queries exist.
I too wish more people in the PHP world would use parameters, but alas, your second paragraph sums up the common mentality. If its still going to make money, why go to the effort? Personally I love sending a query with an object and just let the engine do the work.
I see this sort of thing on a daily basis, but it's not from PHP developers but our "lead" Delphi developer. I've tried to convince him of the benefits of parameter based queries, but believes that it would be a performance hit (performance for him maybe, he'd have to struggle to learn something new).
"Web applications sanitize the apostrophe (') character in strings coming from user input being passed to SQL statements using an escape (\) character."
Please, please don't say this. In the SQL standard, backslash is NOT the escape character for a string literal.
PostgreSQL, starting in v8.2, began transitioning from C-style escapes (using backslash) to SQL standard escapes (where a single quote is escaped with another single quote). Standard behavior is the default, but can be controlled with the variable standard_conforming_strings.
But you shouldn't have to know that anyway. Use out-of-band parameters that are passed in the wire protocol separately from the string. Web frameworks should already ensure this, and if they don't, they are likely broken.
If you are writing a web framework and you need to use escaping for some reason: first, make sure you can't use parameters on the wire instead; then read the product-specific literal parsing rules very carefully, considering things like multibyte characters.
The same goes for JavaScript, escape sequences, SQL string concatenation and so on. It always seems like a great idea but it is just about impossible to get it airtight.
Better do your signaling, commands and meta-data through another channel.
Section 3.1 of Unicode technical report 36 describes a couple of similar things specific to UTF-8: overlong sequences, and ill-formed subsequences.
Does your software conform to Unicode 3.0 and earlier, 3.1 through 5.1, or 5.2 and later? And do your server and client software agree? If you don't know the answer (and you depend on string sanitization), you may be at risk.
I wonder, does that 0x5c byte has to be the last one in the character or can it also be the first, or the second one, followed by the hex value of ;, the end of instruction in mysql?
Point #4 makes it really hard to envision this ever being a problem, since if you're using a CJK charset on your platform already, you're quite likely to notice very quickly that something is horribly, horribly wrong.