[wp-trac] [WordPress Trac] #28625: Enhancement: Add constants to support SSL connections for mysqli

WordPress Trac noreply at wordpress.org
Thu Jan 7 17:56:29 UTC 2016 

#28625: Enhancement: Add constants to support SSL connections for mysqli
------------------------------------------------------+------------------
 Reporter:  hypertextranch                            |       Owner:
     Type:  enhancement                               |      Status:  new
 Priority:  normal                                    |   Milestone:  4.5
Component:  Database                                  |     Version:  4.0
 Severity:  normal                                    |  Resolution:
 Keywords:  has-patch needs-refresh needs-unit-tests  |     Focuses:
------------------------------------------------------+------------------

Comment (by INNOVOT):

 Replying to [comment:9 pento]:
 > Other projects generally use PDO, and do their DB config as arrays,
 instead of constants.
 >
 > `mysqli_ssl_set()` was added in PHP 5.3 - we probably should add a
 `function_exists()` check, even though it'd really only be a problem if
 someone has defined `WP_USE_EXT_MYSQL` as `false` in PHP 5.2. (And maybe
 fail to connect in this case, so that we're not silently using a non-SSL
 connection.)
 >
 > For the concern about new wpdb instances, perhaps we need to add an
 `$options` parameter to `wpdb::__construct()`? `$options['ssl']` would be
 an array of the SSL options (if your global config doesn't do SSL, or you
 want different SSL options), or `false` to prevent an SSL connection.
 Undefined uses the global config.
 >
 > For the actual patch itself, I'm not wild about adding a pile of
 constants, but that's kind of the best option that keeps with the
 WordPress-y way. I can't decide if the `foreach` / `call_user_func_array`
 combination is too clever, or just the right amount of clever. It'd need
 to be reworked to work with `$options`, anyway. Also, it needs unit tests.
 >
 > With all that said, I find myself being in favour of adding this
 functionality to Core, instead of recommending a drop-in. It's useful, it
 increases security, and I don't think it's possible to render your site
 unrecoverably broken (worst case: remove the constants from `wp-
 config.php`) with it.

 100% agree with the final sentence. In this day and age there is no excuse
 not to use secure communications. Hope this does make it to core.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28625#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list