The following code and comment appears in includes/db/Database.php:
protected function prepare( $sql, $func = 'DatabaseBase::prepare' ) {
/* MySQL doesn't support prepared statements (yet), so just
* pack up the query for reference. We'll manually replace
* the bits later.
*/
return array( 'query' => $sql, 'func' => $func );
}
However, the MySQL 5.7 documentation indicates that prepared statements are
supported:
http://dev.mysql.com/doc/refman/5.7/en/sql-syntax-prepared-statements.html
Is the comment in Database.php outdated, and if so, could MediaWiki be made
more secure against SQL injection by supporting prepared statements with recent
versions of MySQL? Or does the support already exist, in spite of the comment?
Best wishes,
Tom
Wenlin Institute, Inc. SPC (a Social Purpose Corporation)
文林研究所社会目的公司
Software for Learning Chinese
E-mail: [email protected] Web: http://www.wenlin.com
Telephone: 1-877-4-WENLIN (1-877-493-6546)
☯
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
