Skip to content


DBAL-118: When speaking about security do not rely on default link in mysql_* function calls #1122

doctrinebot opened this Issue · 2 comments

2 participants


Jira issue originally created by user nixnutz:

The documentation about escaping reads:

"Consider the previous query, now parameterized to fetch only a single article by id. Using ext/mysql (still the primary choice of MySQL access for many developers) you had to escape every value passed into the query using mysqlreal_escapestring() to avoid SQL injection:

$sql = "SELECT * FROM articles WHERE id = '" . mysqlreal_escapestring($id) . "'";
$rs = mysql_query($sql);",

Please, do not rely on MySQL default links when discussing security issues. One of major differences between the mysql and the later mysqli extension is that mysqli forces users to explicitly specify a connection handle. There is no concept of default links and magical global connection handles in mysqli any more. The convenience of not having to specify a connection handle has been removed from mysqli. This was done to increase security, for example, when escaping strings. Escaping needs to take the current charset of the connection into account. Thus, it is recommended to explicitly specify the connection and so not use default connection.

"string mysqlreal_escape_string ( string $unescaped_string [, resource $linkidentifier ] )",*real_escape*string

Please, change the example:

$sql = "SELECT * FROM articles WHERE id = '" . mysqlreal_escapestring($id, $link) . "'";
$rs = mysql_query($sql);",

($link added)



Comment created by @beberlei:

Changed, the new docs will be rolled up sometime this weekend.


Issue was closed with resolution "Fixed"

@beberlei beberlei was assigned by doctrinebot
@doctrinebot doctrinebot added this to the 2.0.5 milestone
@doctrinebot doctrinebot closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.