Limit all DB drivers to executing single statements by checking for delimiter

Created on 16 May 2015, about 10 years ago
Updated 4 May 2025, about 1 month ago

Follow-up to #2388255: (followup) Limit PDO MySQL to executing single statements if PHP supports it β†’

Problem/Motivation

One of the reasons for the severity of https://www.drupal.org/SA-CORE-2014-005 β†’ was the fact the PDO MySQL allows multiple statements to be executed.

This affects all database drivers, not just MySQL

Proposed resolution

Check all SQL strings and throw an exception if a delimiter is present. This should not cause any problems if all user data is interpolated via placeholders.

Remaining tasks

User interface changes

n/a

API changes

better DB security

πŸ“Œ Task
Status

Fixed

Version

8.0 ⚰️

Component

database system

Created by

πŸ‡ΊπŸ‡ΈUnited States pwolanin

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024