PHP 5.3.10 + CI3 PDO injection test

Based on the results of these two articles tested in PHP 5.3.10 + CI3 Environment
http://zhangxugg-163-com.iteye.com/blog/1835721

http://my.oschina.net/zxu/blog/163135

DB Encoding	DB connection Encoding	DB Query Encoding	Attr_emulate_prepares	whether to inject	Log
Gbk	Gbk	SET NAMES GBK	TRUE	Yes	UTF8 code SELECT * FROM info WHERE username = ' ¿\ ' OR username=username # ' GBK Code SELECT * FROM info WHERE username = ' 縗 ' OR username=username # '
Gbk	Gbk	SET NAMES GBK	FALSE	No	SELECT * FROM info WHERE username =
Gbk	Utf8	SET NAMES GBK	TRUE	Yes	SELECT * FROM info WHERE username = ' 縗 ' OR username=username # '
Gbk	Gbk	Not set	TRUE	Error	SQLSTATE[HY000]: General error:1267 illegal mix of collations (gbk_chinese_ci,implicit) and (utf8_general_ci,coercible) For operation ' = '
Gbk	Utf8	SET NAMES UTF8	TRUE	Error	SQLSTATE[HY000]: General error:1267 illegal mix of collations (gbk_chinese_ci,implicit) and (utf8_general_ci,coercible) For operation ' = '
Utf8	Utf8	SET NAMES GBK	TRUE	Yes	SELECT * FROM info WHERE username = ' 縗 ' OR username=username # '
Utf8	Utf8	SET NAMES UTF8	TRUE	No
Utf8	Utf8	Not set	TRUE	No

Summarize:
In the PHP 5.3.10 CI3 Environment
When SET NAMES GBK and Pdo::attr_emulate_prepares are true, there is a potential for injection PDO
These 2 conditions, as long as one of them is not tenable, can prevent injection


To view the CI database class and find that there is a default encoding for less than PHP 5.3.6 to keep it in line with the connection setting encoding

  if (! is_php (' 5.3.6 ') &&! empty ($this->char_set))
  {
   $this->options[pdo::mysql_attr_init_ COMMAND] = ' SET NAMES '. $this->char_set
    . ( Empty ($this->dbcollat)? ': ' COLLATE '. $this->dbcollat);
  

PHP 5.3.10 + CI3 is set to UTF8 in the DB connection Setup code, without additional settings