DBAL-118: When speaking about security do not rely on default link in mysql_* function calls #1122

doctrinebot opened this Issue May 11, 2011 · 2 comments

2 participants


Jira issue originally created by user nixnutz:

The documentation about escaping reads:

"Consider the previous query, now parameterized to fetch only a single article by id. Using ext/mysql (still the primary choice of MySQL access for many developers) you had to escape every value passed into the query using mysqlreal_escapestring() to avoid SQL injection:

$sql = "SELECT * FROM articles WHERE id = '" . mysqlreal_escapestring($id) . "'";
$rs = mysql_query($sql);",

Please, do not rely on MySQL default links when discussing security issues. One of major differences between the mysql and the later mysqli extension is that mysqli forces users to explicitly specify a connection handle. There is no concept of default links and magical global connection handles in mysqli any more. The convenience of not having to specify a connection handle has been removed from mysqli. This was done to increase security, for example, when escaping strings. Escaping needs to take the current charset of the connection into account. Thus, it is recommended to explicitly specify the connection and so not use default connection.

"string mysqlreal_escape_string ( string $unescaped_string [, resource $linkidentifier ] )",

Please, change the example:

$sql = "SELECT * FROM articles WHERE id = '" . mysqlreal_escapestring($id, $link) . "'";
$rs = mysql_query($sql);",

($link added)



Comment created by @beberlei:

Changed, the new docs will be rolled up sometime this weekend.


Issue was closed with resolution "Fixed"

@beberlei beberlei was assigned by doctrinebot Dec 6, 2015
@doctrinebot doctrinebot added this to the 2.0.5 milestone Dec 6, 2015
@doctrinebot doctrinebot closed this Dec 6, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment