Differential D20004 Diff 47766 src/aphront/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
Changeset View
Changeset View
Standalone View
Standalone View
src/aphront/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
| Show First 20 Lines • Show All 58 Lines • ▼ Show 20 Lines | protected function connect() { | ||||
| $conn = mysqli_init(); | $conn = mysqli_init(); | ||||
| $timeout = $this->getConfiguration('timeout'); | $timeout = $this->getConfiguration('timeout'); | ||||
| if ($timeout) { | if ($timeout) { | ||||
| $conn->options(MYSQLI_OPT_CONNECT_TIMEOUT, $timeout); | $conn->options(MYSQLI_OPT_CONNECT_TIMEOUT, $timeout); | ||||
| } | } | ||||
| // See T13238. Attempt to prevent "LOAD DATA LOCAL INFILE", which allows a | |||||
| // malicious server to ask the client for any file. | |||||
| // NOTE: See T13238. This option does not appear to ever have any effect. | |||||
| // Only the PHP level configuration of "mysqli.allow_local_infile" is | |||||
| // effective in preventing "LOAD DATA LOCAL INFILE". It appears that the | |||||
| // configuration option may overwrite the local option? Set the local | |||||
| // option to the desired (safe) value anyway in case this starts working | |||||
| // properly in some future version of PHP/MySQLi. | |||||
| $conn->options(MYSQLI_OPT_LOCAL_INFILE, 0); | |||||
| if ($this->getPersistent()) { | if ($this->getPersistent()) { | ||||
| $host = 'p:'.$host; | $host = 'p:'.$host; | ||||
| } | } | ||||
| @$conn->real_connect( | @$conn->real_connect( | ||||
| $host, | $host, | ||||
| $user, | $user, | ||||
| $pass, | $pass, | ||||
| $database, | $database, | ||||
| $port); | $port); | ||||
| $errno = $conn->connect_errno; | $errno = $conn->connect_errno; | ||||
| if ($errno) { | if ($errno) { | ||||
| $error = $conn->connect_error; | $error = $conn->connect_error; | ||||
| $this->throwConnectionException($errno, $error, $user, $host); | $this->throwConnectionException($errno, $error, $user, $host); | ||||
| } | } | ||||
| // See T13238. Attempt to prevent "LOAD DATA LOCAL INFILE", which allows a | |||||
| // malicious server to ask the client for any file. At time of writing, | |||||
| // this option MUST be set after "real_connect()" on all PHP versions. | |||||
| $conn->options(MYSQLI_OPT_LOCAL_INFILE, 0); | |||||
| $this->connectionOpen = true; | $this->connectionOpen = true; | ||||
| $ok = @$conn->set_charset('utf8mb4'); | $ok = @$conn->set_charset('utf8mb4'); | ||||
| if (!$ok) { | if (!$ok) { | ||||
| $ok = $conn->set_charset('binary'); | $ok = $conn->set_charset('binary'); | ||||
| } | } | ||||
| return $conn; | return $conn; | ||||
| ▲ Show 20 Lines • Show All 148 Lines • Show Last 20 Lines | |||||