PDO & MySQLi(Bound params):
PDO is known to be vulnerable to an encoding flaw, as demonstrated here: http://shiflett.org/blog/2006/jan/addsla...ape-string
The attacker can get around your little mysqli_real_escape_string magic and exploit your website
Coming straight to the point. You need to make sure:
If you:
* Use Modern Versions of MySQL (late 5.1, all 5.5, 5.6, etc) AND mysql_set_charset() / $mysqli->set_charset() / PDO's DSN charset parameter (in PHP 5.3.6)
OR
* Don't use a vulnerable character set for connection encoding (you only use utf8 / latin1 / ascii / etc)
list will be updated. I am too tired atm.