From 3329a70175eb772ee89568ec3423572e48012518 Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Mon, 30 Mar 2015 21:57:40 -0400
Subject: Issue #1201452 by mgifford, Heine, ircmaxell: Improve security on
 newer versions of PHP by setting an additional charset DSN parameter when
 connecting to MySQL via PDO

---
 includes/database/mysql/database.inc | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'includes')

diff --git a/includes/database/mysql/database.inc b/includes/database/mysql/database.inc
index 4907a39dd..0b84f2719 100644
--- a/includes/database/mysql/database.inc
+++ b/includes/database/mysql/database.inc
@@ -36,6 +36,10 @@ class DatabaseConnection_mysql extends DatabaseConnection {
       // Default to TCP connection on port 3306.
       $dsn = 'mysql:host=' . $connection_options['host'] . ';port=' . (empty($connection_options['port']) ? 3306 : $connection_options['port']);
     }
+    // Character set is added to dsn to ensure PDO uses the proper character
+    // set when escaping. This has security implications. See
+    // https://www.drupal.org/node/1201452 for further discussion.
+    $dsn .= ';charset=utf8';
     $dsn .= ';dbname=' . $connection_options['database'];
     // Allow PDO options to be overridden.
     $connection_options += array(
-- 
cgit v1.2.3