Which character set is safe for Mysqli->real_escape_string

Question

While, I was reading about mysqli->real_escape_string, in PHP.net#mysqli_real_escape_string. Few line, I could not understand what they mean, and which character set is safe while using real_escape_string

Caution Security: the default character set

The character set must be set either at the server level, or with the API function mysqli_set_charset() for it to affect mysqli_real_escape_string(). See the concepts section on character sets for more information.

Can someone please explain me, Whether utf-8 or default latin is safe or not :-

Here is their code snippet describing situation here https://www.php.net/manual/en/mysqli.real-escape-string.php

What does this mean ?

<?php

$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

// Will not affect $mysqli->real_escape_string();
$mysqli->query("SET NAMES utf8");

// Will not affect $mysqli->real_escape_string();
$mysqli->query("SET CHARACTER SET utf8");

// But, this will affect $mysqli->real_escape_string();
$mysqli->set_charset('utf8');

?>

Thanks

Answer 1

ANY charset if you are using mysqli_set_charset()

Also, utf-8 and default latin are safe even if you aren't.

There are two sides involved in the process. A server and a client. Where client is your PHP script. So, just because escaping being done on the client side (i.e. in PHP), PHP have to know how to escape the data. This is what exactly mysqli_set_charset()- it does either let server know the incoming data encoding AND does let real_escape_string know what encoding data in.

While SET NAMES query does only part of the job, informing server only, leaving real_escape_string in the default state. However, either utf-8 and default latin are invulnerable anyway.