|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #78467 Impossible to use PDO to connect to MySQL with ClearText Plugin
Submitted: 2019-08-27 18:05 UTC Modified: 2021-07-06 13:46 UTC
Avg. Score:4.8 ± 0.6
Reproduced:12 of 12 (100.0%)
Same Version:5 (41.7%)
Same OS:8 (66.7%)
From: henry dot paradiz at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.1.31 OS: Any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-08-27 18:05 UTC] henry dot paradiz at gmail dot com
AWS has a method of providing access to a database by using their SDK to provision a temporary password with a 15 minute life time. This authentication method requires the MySQL clear text plugin. With the MySQL CLI client this is turned on by providing the CLI switch --enable-cleartext-plugin

It is currently impossible to use PDO with the mysqlnd engine to facilitate this type of connection.

More details here:


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-27 19:15 UTC] henry dot paradiz at gmail dot com
Someone guessed the password for this bug and posted a bunch of crap above. The comment above this one isn't mine. I have generated a random password for this bug so please disregard the clowns above. Thanks.
 [2019-08-27 19:22 UTC]
I've deleted the comments.
 [2019-10-03 20:52 UTC] henry dot paradiz at gmail dot com
The following pull request has been associated:

Patch Name: protect master branches except for the pecl repos against force pushes
On GitHub:
 [2019-10-07 14:39 UTC] henry dot paradiz at gmail dot com
This is why dropping old versions from package managers is stupid.
 [2019-10-07 14:40 UTC] henry dot paradiz at gmail dot com
I don't want them to maintain old versions. Just don't remove the old versions from package managers.

If I want to install old software that's my right and my risk to take. That's not up to you to decide. The vast majority of code written for 5.x could never be exploited anyway.

This is the height of nerd arrogance. Don't patronize me assholes. I'll figure out the risk for myself. If I feel like running php 4.0 on Slackware 3.1 I'll do it and that's none of your business.
 [2019-10-07 14:40 UTC] henry dot paradiz at gmail dot com
I'm not angry just have zero patience for arrogance, ignorance, and stupidity. The OP of this thread hasn't been exploited or hacked. Most PHP out there is still running 5.x.

You are neither qualified nor smart enough to put together a single one of these hacks you claim we are vulnurable to. You're spreading fear and FUD.

Linux is designed for security. The server is not running as root and neither is the PHP process on the box.

This is like bitching about someone using Windows 95 to play Doom. Yea they could be hacked but nothing of value would be lost and you're still just an asshole.
 [2019-10-07 14:41 UTC] henry dot paradiz at gmail dot com
I can tell you're less experienced cause you think packagist stats are accurate. Not everyone uses composer. And it's based on the CLI version at run time which is skewed towards CI docker images and workstations.

Priv escalation is something you will never pull off in your entire career so I don't know why you bring it up. Maaaaaybe a well placed gd exploiting jpeg with a buffer overflow. Anyway it's stupid to even think about.

My code needed very little change from 5.6 to 7 so good luck with that.

Here's my blog's source code. Have fun hacking it.

While you're at it bring me a beer. I'll wait.
 [2019-10-07 14:42 UTC] henry dot paradiz at gmail dot com
Maybe cause there's literally millions of sites out there running 5.x that aren't being hacked left and right? Not all things need fort knox built around them.

I'm routinely amazed at the lack of faith engineers in this subreddit have in the collective security structure of systems like Linux. Exploits are rare and usually involve esoteric PHP extensions and non-standard data manipulation techniques which most PHP code does not use.

I'm not trolling at all. I'm sure the code I wrote in 2014 would be fine on the open internet running 5.6.

To be honest I've never been hacked in my career and I've worked on some pretty high profile high traffic sites with some super janky code I've inherited. We're all connected to the internet on routers running old versions of Linux and it's fine.
 [2019-10-07 14:42 UTC] henry dot paradiz at gmail dot com

You're the one cherry picking. If you were intellectually honest you'd look up stats from servers on the open internet which is a way bigger pool than composer installs.

The stupid. It burns.
 [2019-10-07 14:43 UTC] henry dot paradiz at gmail dot com
Lol inb4 shared hosts running multiple versions of PHP.
 [2019-10-07 14:43 UTC] henry dot paradiz at gmail dot com
Literally my point. Lol. Thanks for making it.
 [2019-10-07 14:50 UTC]
-Block user comment: No +Block user comment: Yes
 [2021-07-06 13:46 UTC]
-Type: Bug +Type: Feature/Change Request
 [2021-07-06 13:46 UTC]
This is a general mysqlnd issue, which selects the authentication
plugin to use from what the server asks for, but does not allow to
explicitly specify the authentication plugin, even though a
cleartext_plugin is built-in, but apparently this can only be used
for PAM authentication.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 12:01:28 2024 UTC