diff options
author | David Rothstein <drothstein@gmail.com> | 2015-03-30 21:57:40 -0400 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2015-03-30 21:57:40 -0400 |
commit | 3329a70175eb772ee89568ec3423572e48012518 (patch) | |
tree | 5505e3c09bf465120966dee54a9c7adcdefbfb3b /includes | |
parent | 32efb5c811d38a8b25d30c14ef89044d04440e62 (diff) | |
download | brdo-3329a70175eb772ee89568ec3423572e48012518.tar.gz brdo-3329a70175eb772ee89568ec3423572e48012518.tar.bz2 |
Issue #1201452 by mgifford, Heine, ircmaxell: Improve security on newer versions of PHP by setting an additional charset DSN parameter when connecting to MySQL via PDO
Diffstat (limited to 'includes')
-rw-r--r-- | includes/database/mysql/database.inc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/includes/database/mysql/database.inc b/includes/database/mysql/database.inc index 4907a39dd..0b84f2719 100644 --- a/includes/database/mysql/database.inc +++ b/includes/database/mysql/database.inc @@ -36,6 +36,10 @@ class DatabaseConnection_mysql extends DatabaseConnection { // Default to TCP connection on port 3306. $dsn = 'mysql:host=' . $connection_options['host'] . ';port=' . (empty($connection_options['port']) ? 3306 : $connection_options['port']); } + // Character set is added to dsn to ensure PDO uses the proper character + // set when escaping. This has security implications. See + // https://www.drupal.org/node/1201452 for further discussion. + $dsn .= ';charset=utf8'; $dsn .= ';dbname=' . $connection_options['database']; // Allow PDO options to be overridden. $connection_options += array( |