From ca38ade68c3777d5b1db1b261b2e374081008349 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Fri, 21 Nov 2014 23:26:19 +0000
Subject: [PATCH] Issue #1201452 by Heine, mgifford: Potential Vulnerability In
 DatabaseConnection_mysql

---
 core/lib/Drupal/Core/Database/Driver/mysql/Connection.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/lib/Drupal/Core/Database/Driver/mysql/Connection.php b/core/lib/Drupal/Core/Database/Driver/mysql/Connection.php
index 66cd34fafacdfc3..64e1511614a97a3 100644
--- a/core/lib/Drupal/Core/Database/Driver/mysql/Connection.php
+++ b/core/lib/Drupal/Core/Database/Driver/mysql/Connection.php
@@ -61,6 +61,10 @@ class Connection extends DatabaseConnection {
       // Default to TCP connection on port 3306.
       $dsn = 'mysql:host=' . $connection_options['host'] . ';port=' . (empty($connection_options['port']) ? 3306 : $connection_options['port']);
     }
+    // Character set is added to dsn to ensure PDO uses the proper character
+    // set when escaping. This has security implications. See
+    // https://www.drupal.org/node/1201452 for further discussion.
+    $dsn .= ';charset=utf8';
     if (!empty($connection_options['database'])) {
       $dsn .= ';dbname=' . $connection_options['database'];
     }