From 6ae70cc8499499b5d77d77ec8974f95873edb861 Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Tue, 19 Apr 2011 16:13:48 -0500 Subject: modified MySQL and MySQLi drivers to address a potential SQL injection attack vector when multi-byte character set connections are employed. (Does not impact Latin-1, UTF-8, etc. encodings) --- application/config/database.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'application/config') diff --git a/application/config/database.php b/application/config/database.php index 24d611ac5..fa541a734 100644 --- a/application/config/database.php +++ b/application/config/database.php @@ -26,6 +26,12 @@ | ['cachedir'] The path to the folder where cache files should be stored | ['char_set'] The character set used in communicating with the database | ['dbcollat'] The character collation used in communicating with the database +| NOTE: For MySQL and MySQLi databases, this setting is only used +| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7. +| There is an incompatibility in PHP with mysql_real_escape_string() which +| can make your site vulnerable to SQL injection if you are using a +| multi-byte character set and are running versions lower than these. +| Sites using Latin-1 or UTF-8 database character set and collation are unaffected. | ['swap_pre'] A default table prefix that should be swapped with the dbprefix | ['autoinit'] Whether or not to automatically initialize the database. | ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections -- cgit v1.2.3-24-g4f1b