[DBAL-118] When speaking about security do not rely on default link in mysql_* function calls Created: 11/May/11  Updated: 14/May/11  Resolved: 14/May/11

Status: Resolved
Project: Doctrine DBAL
Component/s: None
Affects Version/s: None
Fix Version/s: 2.0.5

Type: Documentation Priority: Major
Reporter: Ulf Wendel Assignee: Benjamin Eberlei
Resolution: Fixed Votes: 0
Labels: None


The documentation about escaping reads:

"Consider the previous query, now parameterized to fetch only a single article by id. Using ext/mysql (still the primary choice of MySQL access for many developers) you had to escape every value passed into the query using mysql_real_escape_string() to avoid SQL injection:

$sql = "SELECT * FROM articles WHERE id = '" . mysql_real_escape_string($id) . "'";
$rs = mysql_query($sql);",

Please, do not rely on MySQL default links when discussing security issues. One of major differences between the mysql and the later mysqli extension is that mysqli forces users to explicitly specify a connection handle. There is no concept of default links and magical global connection handles in mysqli any more. The convenience of not having to specify a connection handle has been removed from mysqli. This was done to increase security, for example, when escaping strings. Escaping needs to take the current charset of the connection into account. Thus, it is recommended to explicitly specify the connection and so not use default connection.

"string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )",

Please, change the example:

$sql = "SELECT * FROM articles WHERE id = '" . mysql_real_escape_string($id, $link) . "'";
$rs = mysql_query($sql);",

($link added)


Comment by Benjamin Eberlei [ 14/May/11 ]

Changed, the new docs will be rolled up sometime this weekend.

Generated at Tue Dec 01 13:23:06 EST 2015 using JIRA 6.4.10#64025-sha1:5b8b74079161cd76a20ab66dda52747ee6701bd6.