When should you NOT use MySQL DSN (Data Source Name)?

Never include credentials in the DSN string — pass them as the second and third PDO constructor arguments. Do not hardcode DSN values — use environment variables for all connection parameters.

When is MySQL DSN (Data Source Name) the right choice?

Build the DSN from environment variables — never hardcode host, port, or database name. Always include charset=utf8mb4 in the DSN string.

← Back to glossary

MySQL DSN (Data Source Name)

php PHP 5.1+ Beginner

Also Known As

PDO DSN database connection string PHP mysql DSN format

TL;DR

The connection string passed to PDO specifying the database driver, host, port, database name, and charset.

Explanation

A MySQL DSN follows the format: mysql:host=hostname;port=3306;dbname=database;charset=utf8mb4. The charset parameter ensures the connection uses the correct encoding from the first packet. Omitting charset and using SET NAMES afterwards can cause a brief window where the wrong charset is active. Unix socket connections use unix_socket=/path/to/mysql.sock instead of host. The DSN does not include credentials — those are passed as separate constructor arguments.

Watch Out

⚠ Omitting charset from the DSN and using SET NAMES afterwards leaves a window where the wrong charset is active for the first query.

Common Misconception

✗ SET NAMES 'utf8mb4' after connecting is equivalent to charset=utf8mb4 in the DSN. SET NAMES is a workaround — charset in the DSN sets encoding at the protocol level before any queries run.

Why It Matters

A malformed DSN causes a cryptic connection error. Missing charset causes encoding bugs. Using the wrong host/port in different environments causes environment-specific failures.

Common Mistakes

Omitting charset from the DSN and relying on SET NAMES — encoding mismatch before SET NAMES executes.
Hardcoding host/port in the DSN instead of reading from environment variables.
Including the password in the DSN string instead of the constructor's second and third arguments.

Avoid When

Never include credentials in the DSN string — pass them as the second and third PDO constructor arguments.
Do not hardcode DSN values — use environment variables for all connection parameters.

When To Use

Build the DSN from environment variables — never hardcode host, port, or database name.
Always include charset=utf8mb4 in the DSN string.

Code Examples

✗ Vulnerable

// Hardcoded, no charset, credentials in DSN string
$pdo = new PDO('mysql:host=localhost;dbname=mydb;user=root;password=secret');

✓ Fixed

// Build DSN from environment
$dsn = sprintf(
    'mysql:host=%s;port=%d;dbname=%s;charset=utf8mb4',
    $_ENV['DB_HOST'],
    (int) ($_ENV['DB_PORT'] ?? 3306),
    $_ENV['DB_NAME']
);
$pdo = new PDO($dsn, $_ENV['DB_USER'], $_ENV['DB_PASS']);

References

↗ https://www.php.net/manual/en/ref.pdo-mysql.connection.php

Tags

Added 31 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Unknown AI 3 Google 2 Perplexity 1 Meta AI 1 Ahrefs 1

Also referenced

PDO 32 MySQL charset=utf8mb4 16 PDO Error Handling 14

How they use it

crawler 6 crawler_json 1 pre-tracking 1

Related categories

php 6.3k

⚡ DEV INTEL Tools & Severity

⚙ Fix effort: Low

⚡ Quick Fix

Always include charset=utf8mb4 in the DSN — do not rely on SET NAMES after connection

📦 Applies To

PHP 5.1+ web cli

🔗 Prerequisites

PDO

🔍 Detection Hints

new PDO('mysql:...password=...') or charset not in DSN

Auto-detectable: ✓ Yes semgrep

⚠ Related Problems

Hardcoded Credentials encoding bugs

🤖 AI Agent

Confidence: High False Positives: Low ✗ Manual fix Fix: Low Context: Line

CWE-798