[MediaWiki-l] prepared statements, MySQL, Database.php

Brian Wolff bawolff at gmail.com
Mon Oct 31 09:06:34 UTC 2016

On Sun, Oct 30, 2016 at 7:37 PM, Tom Bishop, Wenlin Institute
<tangmu at wenlin.com> wrote:
> The following code and comment appears in includes/db/Database.php:
>     protected function prepare( $sql, $func = 'DatabaseBase::prepare' ) {
>         /* MySQL doesn't support prepared statements (yet), so just
>          * pack up the query for reference. We'll manually replace
>          * the bits later.
>          */
>         return array( 'query' => $sql, 'func' => $func );
>     }
> However, the MySQL 5.7 documentation indicates that prepared statements are supported:
>         http://dev.mysql.com/doc/refman/5.7/en/sql-syntax-prepared-statements.html
> Is the comment in Database.php outdated, and if so, could MediaWiki be made more secure against SQL injection by supporting prepared statements with recent versions of MySQL? Or does the support already exist, in spite of the comment?
> Best wishes,
> Tom

A large part of Database.php was written back in the MySQL 3 era,
which predates many of MySQL's more modern features.

The client-side implementation of PREPARE was added back in Oct 18,
2004 ( https://www.mediawiki.org/wiki/Special:Code/MediaWiki/5962 ).
Since then, its never really been used, nor has that code really been
touched. Most of our code uses the array based Database::select()
wrapper, which has mostly proven effective against sql injections.
(There have been instances of SQL injection in MW in the past,
although its not very common relative to other types of security
vulnerabilities like XSS).

Whether or not we should use prepared queries in MW in general, I
don't know. Personally I like our current mechanisms and think they
are just fine, but perhaps I just like what I'm used to. In any case,
if we were to change to using prepared statements as our current best
practice, it would require a either a discussion on wikitech-l or a
MediaWiki RFC.


More information about the MediaWiki-l mailing list