[MediaWiki-l] prepared statements, MySQL, Database.php

Tom Bishop, Wenlin Institute tangmu at wenlin.com
Sun Oct 30 19:37:21 UTC 2016

The following code and comment appears in includes/db/Database.php:

    protected function prepare( $sql, $func = 'DatabaseBase::prepare' ) {
        /* MySQL doesn't support prepared statements (yet), so just
         * pack up the query for reference. We'll manually replace
         * the bits later.
        return array( 'query' => $sql, 'func' => $func );

However, the MySQL 5.7 documentation indicates that prepared statements are supported:


Is the comment in Database.php outdated, and if so, could MediaWiki be made more secure against SQL injection by supporting prepared statements with recent versions of MySQL? Or does the support already exist, in spite of the comment?

Best wishes,


Wenlin Institute, Inc. SPC (a Social Purpose Corporation)
Software for Learning Chinese
E-mail: wenlin at wenlin.com     Web: http://www.wenlin.com
Telephone: 1-877-4-WENLIN (1-877-493-6546)

More information about the MediaWiki-l mailing list