The main feature is parsing correctly MySQL's use of %%A0 as whitespace in it's default
latin1 configuration. This is tricky since we don't want to detect A0 when it's used in UTF-8 as part of a larger word. Feedback and false-positives from non-English SQLi would be most welcome!
Here's the full changelog
v3.8.0 - 2013-10-18
LAMP Special Edition: MySQL and PHP improvements
- Issue #33 Fixes MySQL in latin1-mode use of
%A0as whitespace. This was tricky since
%A0might be part of larger UTF-8 encoding as well. Or perhaps
%C2%A0(utf-8 encoding) might be treated as whitespace. Fortunately, MySQL only seems to treat
%A0as whitespace in latin1 mode. HT @ru_raz0r
- Fixes to Lua testdriver and portability fixes
- Much improved PHP build and test. It now uses
phpizeand builds and tests like a real module.
- API CHANGE: the macro
LIBINJECTION_VERSIONhas been replaced by
const char* libinjection_version(). This allows us to increment the version number without having to regenerate SWIG (or other) bindings for minor releases.
Pregenerated SWIG bindings are removed. You'll need to install SWIG before running
make. SWIG is packaged on virtually every OS so this should not be a problem.
- Latest versions of swig appear to generate poor quality bindings for LUA and Python. Bugs are filed upstream 1341, 1343, 1345. These are fixed or will be fixed in swig 3.0.0.
- In addition, I've recieved a number of reports of generated code failing various static analysis
- I can't triangulate which SWIG for which langauge for which OS will work for you
- I may be switching to libffi for python, and luajit.ffi for lua(jit) in the future, anyways.