Skip to content

D
doctrine-dbal
Commit d36037d5 authored by Bill Schaller's avatar Bill Schaller
Browse files
Options

Remove comment in security.rst about MySQL with PHP <= 5.3.6

parent fb2eda8a
Hide whitespace changes
Inline Side-by-side
Showing with 1 addition and 18 deletions
docs/en/reference/security.rst
View file @ d36037d5
...@@ -154,21 +154,4 @@ the ``Connection#quote`` method: ...@@ -154,21 +154,4 @@ the ``Connection#quote`` method:
$sql = "SELECT * FROM users WHERE name = " . $connection->quote($_GET['username'], \PDO::PARAM_STR); $sql = "SELECT * FROM users WHERE name = " . $connection->quote($_GET['username'], \PDO::PARAM_STR);
This method is only available for SQL, not for DQL. For DQL it is always encouraged to use prepared This method is only available for SQL, not for DQL. For DQL it is always encouraged to use prepared
statements not only for security, but also for caching reasons. statements not only for security, but also for caching reasons.
\ No newline at end of file
Non-ASCII compatible Charsets in MySQL
--------------------------------------
Up until PHP 5.3.6 PDO has a security problem when using non ascii compatible charsets. Even if specifying
the charset using "SET NAMES", emulated prepared statements and ``PDO#quote`` could not reliably escape
values, opening up to potential SQL injections. If you are running PHP 5.3.6 you can solve this issue
by passing the driver option "charset" to Doctrine PDO MySQL driver. Using SET NAMES does not suffice!
.. code-block::
<?php
$conn = DriverManager::getConnection(array(
'driver' => 'pdo_mysql',
'charset' => 'UTF8',
));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment