Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101043
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82620 invoked from network); 3 Nov 2017 15:34:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Nov 2017 15:34:04 -0000
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 74.125.82.172 as permitted sender)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 74.125.82.172 mail-ot0-f172.google.com  
Received: from [74.125.82.172] ([74.125.82.172:56299] helo=mail-ot0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 56/CB-09857-A6C8CF95 for <internals@lists.php.net>; Fri, 03 Nov 2017 10:34:02 -0500
Received: by mail-ot0-f172.google.com with SMTP id u41so2746157otf.12
        for <internals@lists.php.net>; Fri, 03 Nov 2017 08:34:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=jpwoZAyIOT2TRQxJAggMJyD6q8wF+h3qxqm9xQ1YNmQ=;
        b=GacMXiQvysChc9zvBtC7cX5tn4gXL7Jpa+5C4NlEovTrn85vo4JMXz+hDMYEU74na2
         65UiEO2uT9O8uB3oSve0eCWeEbx5/RPVXRCf6NzFNmCWvncd2pDHDChSLFqWo26KtUKv
         pmkuxq3X1cZZkFufap2hPKpn8KORQops/te6xEwSHZZfmbn8u1FkKJXlQTgKO3fqKrAK
         pEI5Zfsq6nYpFX/Nez/Z8gWL4kJ3PwbX8lwABG5yA8OKu0P4IPakORwtphUzhqvPA68Y
         uf71zIP4hGPsqF9jVNA96iJ/iGlZLQQ86iDYEaZoaeoUQFsVevXokC5aK3T43uTu5lzU
         8B2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=jpwoZAyIOT2TRQxJAggMJyD6q8wF+h3qxqm9xQ1YNmQ=;
        b=VrXCKeoMeo1wQyMU1LQCvbirwTzGdxAnL51B9pFPlmJYrDma1CtjBdsY1TcL/43yJZ
         TW3FPcYAsXbF8vwS0/QMBnYMK2WYsfctcV/bL+QVg4ONMKLOlnoxzpPEtkN/OOqANR/R
         rxXwWQ4wYyYOK3CN16+XJSShohoItRc3woMhnAyWabocyIHv480wqG4uSJcjyL3WL4Uz
         swpoE/VYIrKB3SvEkWUlJDGKnbpnmqby+FXLC0T0raaXG+ZCGhQGmbCG2iyXW9+JWmoH
         tC3xv043qoFY7t+ragol9t8qPxEpiSih4YsoPV5JlLOnuBWmHIshiiqgqaIal26TRlGt
         g6VQ==
X-Gm-Message-State: AJaThX76RaUaaR43k0qgsj5QJUbG7Egw3RJqL+yHodZ1ltCXJDgN5+GH
	AKC7Py+KP6SXJRnhbT5m6Ync11VVMeOHCyFvpoKhnqCv+Yo=
X-Google-Smtp-Source: ABhQp+TjzHUTWESkT/rbbckyoK2xjqsW6Xv+nFrqaC85gxWVWi8QIO250gwjR8MsUU+A7hFDY36rfuOOt9m+ljIPf54=
X-Received: by 10.157.63.197 with SMTP id i5mr4940861ote.384.1509723239220;
 Fri, 03 Nov 2017 08:33:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.82.3 with HTTP; Fri, 3 Nov 2017 08:33:58 -0700 (PDT)
Date: Fri, 3 Nov 2017 11:33:58 -0400
Message-ID: <CAKws9z1CeGHDmJ7hvX=mTXabMY+2fWgCjJw1N03bLZ=6PAsVng@mail.gmail.com>
To: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a113b1c1662186f055d15d507"
Subject: Idea: PDO - Single-round-trip prepared statements
From: scott@paragonie.com (Scott Arciszewski)

--001a113b1c1662186f055d15d507
Content-Type: text/plain; charset="UTF-8"

This came up in a discussion on Reddit:

https://www.reddit.com/r/PHP/comments/79xgcg/disclosure_wordpress_wpdb_sql_injection_technical/dp7wln0/?context=5

For database drivers that support sending the query and parameters in the
same TCP packet (n.b. not in the same query string, though, or we lose the
code-data separation benefits that prepared statements offers and makes SQL
injection provably mitigated), we can make prepared statements as efficient
as unsafe queries.

My proposal, for one-off prepared queries:

    $results = $pdo->safeQuery(
        "SELECT * FROM foo WHERE id = :userid",
        array('userid' => $_GET['user_id'])
    );

In this case, $results will be a PDOStatement object just like if you
performed the following:

    $results = $pdo->prepare("SELECT * FROM foo WHERE id = :userid");
    $results->execute(['userid' => $_GET['user_id']);

However, it won't need a separate execute() call. You can immediately fetch
the results.

We use a similar interface in EasyDB[1], but this is a higher-level
abstraction around PDO::prepare() and PDOStatement::execute().

Questions/Challenges:

1. Which DB drivers (and which versions) support 1RT prepared statements in
addition to 2RT prepared statements?
2. Is there a better name for this usage than safeQuery()?

If this turns out to be a good idea, I'll write up an RFC targeting PHP 7.3.

-----

[1]: https://github.com/paragonie/easydb

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

--001a113b1c1662186f055d15d507--