[wp-trac] [WordPress Trac] #21663: Use PDO for MySQL queries when PDO is available
WordPress Trac
noreply at wordpress.org
Thu Jan 17 08:44:03 UTC 2013
#21663: Use PDO for MySQL queries when PDO is available
--------------------------------------------------+------------------
Reporter: scottconnerly | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 3.6
Component: Database | Version: 3.5
Severity: normal | Resolution:
Keywords: dev-feedback has-patch needs-testing |
--------------------------------------------------+------------------
Comment (by johndoe123456):
one thing pdo doesnt offer, but mysqli does is a set_charset() function.
If you think its a good idea to emulate it by issuing a set names sql
query, realize it's not fully equivalent.
read
http://www.php.net/manual/en/mysqlinfo.concepts.charset.php
http://stackoverflow.com/questions/1650591/whether-to-use-set-
names/14132028#14132028
I don't use wordpress, but I have a feeling you and your users will still
do manual string escaping for many years. And, they may change the charset
at runtime after initial connection.
Not only could there be minor bugs, but maybe even rare sql injection
opportunities reminiscent of the conditions talked about here
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-
string (the point is the escaping function was naive of the character set,
and therefore couldn't properly escape the string).
although - this is nothing new for any current wordpress code that uses
mysql ext and uses a set names query instead of calling
mysql_set_charset(). its exactly the same.
food for thought. good luck.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21663#comment:50>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list