Issue #1201452 by Heine, mgifford: Potential Vulnerability In DatabaseConnection_mysql

core/lib/Drupal/Core/Database/Driver/mysql/Connection.php

@@ -61,6 +61,10 @@ public static function open(array &$connection_options = array()) {
       // Default to TCP connection on port 3306.
       $dsn = 'mysql:host=' . $connection_options['host'] . ';port=' . (empty($connection_options['port']) ? 3306 : $connection_options['port']);
     }
+    // Character set is added to dsn to ensure PDO uses the proper character
+    // set when escaping. This has security implications. See
+    // https://www.drupal.org/node/1201452 for further discussion.
+    $dsn .= ';charset=utf8';
     if (!empty($connection_options['database'])) {
       $dsn .= ';dbname=' . $connection_options['database'];
     }