[DBAL-118] When speaking about security do not rely on default link in mysql_* function calls Created: 11/May/11 Updated: 14/May/11 Resolved: 14/May/11
|Reporter:||Ulf Wendel||Assignee:||Benjamin Eberlei|
The documentation about escaping reads:
"Consider the previous query, now parameterized to fetch only a single article by id. Using ext/mysql (still the primary choice of MySQL access for many developers) you had to escape every value passed into the query using mysql_real_escape_string() to avoid SQL injection:
Please, do not rely on MySQL default links when discussing security issues. One of major differences between the mysql and the later mysqli extension is that mysqli forces users to explicitly specify a connection handle. There is no concept of default links and magical global connection handles in mysqli any more. The convenience of not having to specify a connection handle has been removed from mysqli. This was done to increase security, for example, when escaping strings. Escaping needs to take the current charset of the connection into account. Thus, it is recommended to explicitly specify the connection and so not use default connection.
"string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )",
Please, change the example:
|Comment by Benjamin Eberlei [ 14/May/11 ]|
Changed, the new docs will be rolled up sometime this weekend.