while going thorugh some articles i read that MySQLi is better than MySQL.. so i want to know which one is used in ELGG? and is it possible to switch it?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
All three MySQL extensions are light wrappers around the same client library. ext/mysqli is better in that it offers more features and isn't formally deprecated.
Elgg is still using ext/mysql, and we should switch (to PDO_mysql), but it will be a lot of work for little immediate gain, which is probably why we haven't been eager to jump into it.
I see Elgg 1.11 is still using mysql_connect. PHP 7 will be released this year and will no longer support the mysql extension. See https://wiki.php.net/rfc/remove_deprecated_functionality_in_php7
Maybe now it is time to switch to PDO. Besides this imminent need, the gain is that users can choose different databases too.
TL;DR
What to Expect When You're Expecting: PHP 7: Part 1, Part 2
Some recent work has paved the way toward a PDO conversion. Short term we need a hacky replacement for sanitize_string() because there's no way we can convert everything to placeholders in one shot.
Why ? As In understand there is no need for sanitize_string() in PDO. So sanitize string could be an empty function for BC and just return the string instead of mysql-real-escape-string($value)
Elgg core has 200+ usages of sanitize_string() and its aliases. Returning the string as is would create 200+ SQL injection vulnerabilities.
@Steve, I understand the current use of sanitze_string(). But when using PDO, it is recommended to use http://php.net/manual/en/pdo.prepare.php to avoid sql injections. Also interesting to read http://stackoverflow.com/questions/3716373/real-escape-string-and-pdo
https://github.com/Elgg/Elgg/pull/8325 is close to ready. It uses PDO::quote and removes the surrounding quotes it adds. The next step is probably to expose more of PDO to plugins so they can actually use queries with placeholders, and quietly deprecate sanitize_string and its aliases.
While we'll eventually rewrite the possibly hundreds of queries and surrounding code to use placeholders, this is such a monumental feat that we've put this off for years. Once #8325 is in, you can devote as much time to that task as you'd like.
Great work ! I still don't understand why my proposed solution would not work and avoid the Breaking Change. Even with pdo::quote it seems possible (at least to me).
The breaking change is minor. If you use the official Elgg APIs, it probably won't break anything. All our unit tests are working.
Yes, our goal is to use prepare() instead of sanitize_string(), but there are 200+ queries to convert and some of those are going to be difficult tasks. E.g. try converting elgg_get_entities() to prepared queries. Anyway there are tons of 3rd party plugins using sanitize_string(), so that's a necessity short term anyway.
- Previous
- 1
- 2
- Next
You must log in to post replies.