[jcranmer]

In order for this to take effect, you need: 1. To "sanitize" SQL injection by quoting parameters and building SQL strings manually 2. Your quoting function needs to be in a language that iterates over multibyte chars properly (i.e., you're not running naively on binary strings) 3. The output multibyte charset must be one of the afflicted charsets (mostly CJK charsets) 4. Your DBMS must be incapable of properly handling the relevant charset, and is instead checking it in a different charset.

Point #4 makes it really hard to envision this ever being a problem, since if you're using a CJK charset on your platform already, you're quite likely to notice very quickly that something is horribly, horribly wrong.

[hultner]

I was thinking the same thing, and does people really still build SQL-strings programmatically in the server application?

Seems like this bad practice should be dead by now, not only does it open up for injection attacks but it also prevents the database from optimizing the query by precompiling, data aggregation and building smarter execution plans.

[rbritton]

It happens a lot in junk WordPress plugins. Even with built-in support for doing it better [1], far too many just use straight concatenation.

[1]: https://developer.wordpress.org/reference/classes/wpdb/prepa...

[collyw]

It should be dead by now, but I had to a move a website done by an agency to a new server. I don't really code PHP, but could see that it was full of concatenated SQL strings.