Change record status: 
Project: 
Introduced in branch: 
7.x, 8.0.x
Introduced in version: 
7.40, 8.0.0-beta10
Description: 

The severity of https://www.drupal.org/SA-CORE-2014-005 could have been significantly reduced if multiple database queries were never allowed to be executed at once in the first place.

https://github.com/php/php-src/pull/896 added a feature into PHP itself to disallow multiple queries on MySQL databases for PHP >= 5.5.21 or 5.6.5. Drupal now automatically uses this flag in the case where is provided by PHP.

For module developers this means you can't execute multiple statements in one go:

Before

// Set connection options.
$pdo->exec(implode('; ', $connection_options['init_commands']));

After

foreach ($connection_options['init_commands'] as $sql) {
  $pdo->exec($sql);
}

Note that it should be very rare to need to change any custom or contributed code as a result of this, if your code is already using the database API properly. INSERT, UPDATE, or DELETE queries should always be done using the dedicated API functions (db_insert(), db_update(), or db_delete()), rather than by passing raw SQL into db_query(). Therefore, most existing code should have no need to attempt to execute multiple queries via a single raw database statement.

If you do attempt to execute multiple database statements at once after this change, a PDOException will be thrown. Note that the error message which PHP displays as a result of that will not necessarily make clear what the reason for the error is. It will usually start something like this:

PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near...

(rather than specifically indicating that multiple database statements were attempted)

Impacts: 
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done