diff options
author | Derek Jones <derek.jones@ellislab.com> | 2011-04-20 02:47:34 +0200 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2011-04-20 02:47:34 +0200 |
commit | bab1a6aab7aa9bd2ba0ad7bc51973dd00d273b31 (patch) | |
tree | a2360c3d03813783d0fca44b1fe2947e9873fb26 /user_guide | |
parent | f5c840241084e03d49e521bfcb62d2adbe9fce7d (diff) | |
parent | 6ae70cc8499499b5d77d77ec8974f95873edb861 (diff) |
Automated merge with http://hg.ellislab.com/CodeIgniter-Reactor
Diffstat (limited to 'user_guide')
-rw-r--r-- | user_guide/changelog.html | 4 | ||||
-rw-r--r-- | user_guide/database/configuration.html | 2 |
2 files changed, 5 insertions, 1 deletions
diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 3a17edd90..b889152ad 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -63,6 +63,10 @@ Change Log <p>Release Date: Not Released</p> <ul> + <li>Security + <ul> + <li>An improvement was made to the MySQL and MySQLi drivers to prevent exposing a potential vector for SQL injection on sites using multi-byte character sets in the database client connection. <p>An incompatibility in PHP versions < 5.2.3 and MySQL < 5.0.7 with <em>mysql_set_charset()</em> creates a situation where using multi-byte character sets on these environments may potentially expose a SQL injection attack vector. Latin-1, UTF-8, and other "low ASCII" character sets are unaffected on all environments.</p> <p class="critical">If you are running or considering running a multi-byte character set for your database connection, please pay close attention to the server environment you are deploying on to ensure you are not vulnerable.</p></li> + </ul> <li>General Changes <ul> <li>Added Session Class userdata to the output profiler. Additionally, added a show/hide toggle on HTTP Headers, Session Data and Config Variables.</li> diff --git a/user_guide/database/configuration.html b/user_guide/database/configuration.html index fdeae0ee2..51d11c9f2 100644 --- a/user_guide/database/configuration.html +++ b/user_guide/database/configuration.html @@ -132,7 +132,7 @@ for the primary connection, but it too can be renamed to something more relevant <li><strong>cache_on</strong> - TRUE/FALSE (boolean) - Whether database query caching is enabled, see also <a href="caching.html">Database Caching Class</a>.</li> <li><strong>cachedir</strong> - The absolute server path to your database query cache directory.</li> <li><strong>char_set</strong> - The character set used in communicating with the database.</li> -<li><strong>dbcollat</strong> - The character collation used in communicating with the database.</li> +<li><strong>dbcollat</strong> - The character collation used in communicating with the database. <p class="important"><strong>Note:</strong> For MySQL and MySQLi databases, this setting is only used as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7. There is an incompatibility in PHP with mysql_real_escape_string() which can make your site vulnerable to SQL injection if you are using a multi-byte character set and are running versions lower than these. Sites using Latin-1 or UTF-8 database character set and collation are unaffected.</p></li> <li><strong>swap_pre</strong> - A default table prefix that should be swapped with <var>dbprefix</var>. This is useful for distributed applications where you might run manually written queries, and need the prefix to still be customizable by the end user.</li> <li><strong>autoinit</strong> - Whether or not to automatically connect to the database when the library loads. If set to false, the connection will take place prior to executing the first query.</li> <li><strong>stricton</strong> - TRUE/FALSE (boolean) - Whether to force "Strict Mode" connections, good for ensuring strict SQL while developing an application.</li> |