Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115461
Return-Path: <jordan.ledoux@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84721 invoked from network); 18 Jul 2021 08:27:11 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 Jul 2021 08:27:11 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 32AEA1804AA
	for <internals@lists.php.net>; Sun, 18 Jul 2021 01:51:52 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <jordan.ledoux@gmail.com>
Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 18 Jul 2021 01:51:51 -0700 (PDT)
Received: by mail-lj1-f175.google.com with SMTP id y7so20538232ljm.1
        for <internals@lists.php.net>; Sun, 18 Jul 2021 01:51:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Si4zZyHGlcCK6uD3qHYGY9GuC2vq4Ogd8mGf7VxXp2I=;
        b=ZvAsXlTNOu8DhGlBmhilBQvBZvxxa9kCvwvkma01Eu+KIB699xoxitQGEhPCGgSAlV
         M1fS3gGd8e0w/erO96TefY9lYg3dF05+KS/nCzxkbe35N+B1Yn2Qr1I22wxNza29RjOv
         WkucXDNJXrPJHqPng29Uu/VNuWYJE0NTffjVfCmxSgsMsBPfjI86iUYFwteW6b9bjqr2
         hLHk33C1ty9It+yXbL/MVJUWnKgXo6gK6HV3n6KAhgZnW4rJSM8JeR8JRoXWgfzRYWN0
         Xr/o0Mp8YKTNJAjfPPBk+Z3GlkQ82sE4Pkzpy1NnKfNQsq2W2rMtRzyApuVVdDodeIhv
         rboQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Si4zZyHGlcCK6uD3qHYGY9GuC2vq4Ogd8mGf7VxXp2I=;
        b=ZSW3YDIPJLZnjvqTnq89emhBiHxAyhdQsCa95+0x0jUFxg9aJSh7jdjqO5ifQZMp3H
         lkJZSVB2GY0k3h4+FIRlbxxXxRq/2+hGeqvz59Yb6RIcZaf9lDqeqfeUQW2iJ6ySWlaR
         qYOiiHJl9xptw/fODVTLHB5Kf3NVCO3IZiNW9mw43TMU6svTPSBghb8CF+EnWSZU6n0N
         cvklOY7Bz11S1ajJMWsWs07cmXwA57hXavb9cSL1K0IADeAiBUSur7WELndZdvTZZnSD
         Tlvt8I9ipFYuWPeCqWEV8UkjQJryFB7RSczGOt+jKoq6pv0OhO0P/zksCSKlG3ivc1/0
         QPvw==
X-Gm-Message-State: AOAM530l/t4MwR6age3g66RBeBgSD0lFAfqgLRNzf5r6SzrFsIYn2v/m
	WwxzsEge+uEZ/l+uxNRCFExSP9x6XH5ZE3aQSbE=
X-Google-Smtp-Source: ABdhPJzk6r9G+Kr9G9LGq8HHuBvkr3n3ayPBirsQLCeDUqVZXGJ2/H7/QhoxQR/FcQ8mLRQ7d9DF3mxDKxDT9Y6zvcc=
X-Received: by 2002:a2e:a886:: with SMTP id m6mr18038143ljq.54.1626598308385;
 Sun, 18 Jul 2021 01:51:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CADyq6s+eu4bLM3Z+28Vd0BoGzdbXRyG2Hw9OXqQtyok32p1CJQ@mail.gmail.com>
 <CAFv4g+H2Eec0SXif3=0nP4wwEaXzggTEPxJjm7fmuwQCR3CFFw@mail.gmail.com>
 <CAMrTa2GVpugjj71tcQO8oJgMyf7A_naHbrakjRWj92oKkAJQOw@mail.gmail.com> <fc75a9e5-8f16-2fa1-01a0-a69fa7ed28ee@allenjb.me.uk>
In-Reply-To: <fc75a9e5-8f16-2fa1-01a0-a69fa7ed28ee@allenjb.me.uk>
Date: Sun, 18 Jul 2021 01:51:38 -0700
Message-ID: <CAMrTa2Ebev1pVSzUWLx24_W5B5jc_6TTMNPJLAqzDdwpH+oGyw@mail.gmail.com>
To: AllenJB <php.lists@allenjb.me.uk>
Cc: Craig Francis <craig@craigfrancis.co.uk>, Marco Pivetta <ocramius@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000005d170905c761ee3f"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: jordan.ledoux@gmail.com (Jordan LeDoux)

--0000000000005d170905c761ee3f
Content-Type: text/plain; charset="UTF-8"

That sounds like something that would require both a deprecation and an RFC
for the change then, even if the actual change in the source is small.

It still may be worth exploring, since this surely gives a large number of
people false confidence in protection against injection attacks, as nearly
every available tutorial on using PDO in PHP declares that simply using
prepared statements protects you from injection attacks.

On Sun, Jul 18, 2021 at 12:47 AM AllenJB <php.lists@allenjb.me.uk> wrote:

>
> On 18/07/2021 03:41, Jordan LeDoux wrote:
> > Related to the general topic of injection attacks, I was considering
> > submitting a PR to change the default of PDO::ATTR_EMULUATE_PREPARES to
> > FALSE, since this mistakenly can lead people to believe that using
> prepared
> > statements with PDO and MySQL protects against injection attacks. In
> fact,
> > this is only the case if they create the PDO object with the option
> > specified as false. I'm not aware however to reasoning for enabling
> prepare
> > emulation by default for MySQL. I would assume it's a performance choice,
> > but how long ago was this choice made and is it worth revisiting? Would
> > this be something that requires its own RFC? It's a single line change.
> >
> > Jordan
>
> There's some BC-breaks to be aware of when switching emulated prepares.
> One example I know of is that when using emulated prepares you can reuse
> the same placeholder (as in the following example), but with emulated
> prepares disabled this does not work.
>
> $sql = "SELECT * FROM table WHERE column1 LIKE CONCAT('%', :searchValue,
> '%') OR column2 LIKE CONCAT('%', :searchValue, '%');";
> $params = [
>      "searchValue" => "test",
> ];
>
> With emulated prepares disabled you have to use:
>
> $sql = "SELECT * FROM table WHERE column1 LIKE CONCAT('%', :searchValue,
> '%') OR column2 LIKE CONCAT('%', :searchValue2, '%');";
> $params = [
>      "searchValue" => "test",
>      "searchValue2" => "test",
> ];
>
>
>

--0000000000005d170905c761ee3f--