Uploaded image for project: 'Doctrine DBAL'
  1. Doctrine DBAL
  2. DBAL-118

When speaking about security do not rely on default link in mysql_* function calls


    • Type: Documentation
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.5
    • Component/s: None
    • Labels:


      The documentation about escaping reads:

      "Consider the previous query, now parameterized to fetch only a single article by id. Using ext/mysql (still the primary choice of MySQL access for many developers) you had to escape every value passed into the query using mysql_real_escape_string() to avoid SQL injection:

      $sql = "SELECT * FROM articles WHERE id = '" . mysql_real_escape_string($id) . "'";
      $rs = mysql_query($sql);",

      Please, do not rely on MySQL default links when discussing security issues. One of major differences between the mysql and the later mysqli extension is that mysqli forces users to explicitly specify a connection handle. There is no concept of default links and magical global connection handles in mysqli any more. The convenience of not having to specify a connection handle has been removed from mysqli. This was done to increase security, for example, when escaping strings. Escaping needs to take the current charset of the connection into account. Thus, it is recommended to explicitly specify the connection and so not use default connection.

      "string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )",

      Please, change the example:

      $sql = "SELECT * FROM articles WHERE id = '" . mysql_real_escape_string($id, $link) . "'";
      $rs = mysql_query($sql);",

      ($link added)



        nixnutz Ulf Wendel created issue -
        beberlei Benjamin Eberlei made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 2.0.5 [ 10132 ]
        Resolution Fixed [ 1 ]
        beberlei Benjamin Eberlei made changes -
        Workflow jira [ 12628 ] jira-feedback2 [ 17718 ]
        beberlei Benjamin Eberlei made changes -
        Workflow jira-feedback2 [ 17718 ] jira-feedback3 [ 20073 ]


          • Assignee:
            beberlei Benjamin Eberlei
            nixnutz Ulf Wendel
          • Votes:
            0 Vote for this issue
            0 Start watching this issue


            • Created: