Issue #1201452 by mgifford, Heine, ircmaxell: Improve security on newer versions of PHP by setting an additional charset DSN parameter when connecting to MySQL via PDO

author: David Rothstein <drothstein@gmail.com> 2015-03-30 21:57:40 -0400
committer: David Rothstein <drothstein@gmail.com> 2015-03-30 21:57:40 -0400
commit: 3329a70175eb772ee89568ec3423572e48012518 (patch)
tree: 5505e3c09bf465120966dee54a9c7adcdefbfb3b /includes
parent: 32efb5c811d38a8b25d30c14ef89044d04440e62 (diff)
download: brdo-3329a70175eb772ee89568ec3423572e48012518.tar.gz
brdo-3329a70175eb772ee89568ec3423572e48012518.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/includes/database/mysql/database.inc b/includes/database/mysql/database.inc
index 4907a39dd..0b84f2719 100644
--- a/includes/database/mysql/database.inc
+++ b/includes/database/mysql/database.inc
@@ -36,6 +36,10 @@ class DatabaseConnection_mysql extends DatabaseConnection {
       // Default to TCP connection on port 3306.
       $dsn = 'mysql:host=' . $connection_options['host'] . ';port=' . (empty($connection_options['port']) ? 3306 : $connection_options['port']);
     }
+    // Character set is added to dsn to ensure PDO uses the proper character
+    // set when escaping. This has security implications. See
+    // https://www.drupal.org/node/1201452 for further discussion.
+    $dsn .= ';charset=utf8';
     $dsn .= ';dbname=' . $connection_options['database'];
     // Allow PDO options to be overridden.
     $connection_options += array(
author	David Rothstein <drothstein@gmail.com>	2015-03-30 21:57:40 -0400
committer	David Rothstein <drothstein@gmail.com>	2015-03-30 21:57:40 -0400
commit	3329a70175eb772ee89568ec3423572e48012518 (patch)
tree	5505e3c09bf465120966dee54a9c7adcdefbfb3b /includes
parent	32efb5c811d38a8b25d30c14ef89044d04440e62 (diff)
download	brdo-3329a70175eb772ee89568ec3423572e48012518.tar.gz brdo-3329a70175eb772ee89568ec3423572e48012518.tar.bz2