wasn't sure if this is more correct here or web security, so kindly excuse me if this is the wrong forum.

I have been given the task of creating a set of tools for a server that allows users to make more secure php+mysql webapps.

One of the modules is for database interconnect and my question is this:

can an attacker force a different type of char encoding into a mysql query? For example unicode or even hex (does mysql support embedded sql?)? It seems that mysql can deal with unicode, according to the docs, but it is unclear if it can deal with multiple encoding types within a single query or set of queries.

If any of these are true, will using a different encoding type than the php engine is running bypass mysql_escape_string() only to be decoded at the db level? I have been able to find no data on this type of attack. This could mean either it isn't possible and i am just being paranoid or it is possible and has not occurred to anyone else yet.

The current method I am using is to break down the db to four accounts with limited permissions:

user_select(select)
user_insert(insert)
user_delete(delete, select)
user_update(update, select)

preg_match("/^delete.*delete|select|0x/i", $query)

is an example of what I am currently using to control the delete queries. I only want one instance of delete, zero instances of select and zero instances of 0x until i am sure about the encoding issue.

Does anyone have any thoughts about this subject matter? I'd rather not do lots of testing if this is a known issue/non-issue and I have just been blind.

thanks,

catch