Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115466 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 30833 invoked from network); 18 Jul 2021 22:13:16 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Jul 2021 22:13:16 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 451261804D0 for ; Sun, 18 Jul 2021 15:38:05 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 18 Jul 2021 15:38:04 -0700 (PDT) Received: by mail-ot1-f44.google.com with SMTP id 59-20020a9d0ac10000b0290462f0ab0800so16302804otq.11 for ; Sun, 18 Jul 2021 15:38:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RXw8JkPN79japq4kW3yBbettFloU7RZg4D1eztSYjcQ=; b=Mvm2nix7zXgSDa0EC3SKFEpCVUC9nNUk9n30pMs2D5ZTCDx+ki00eFi2PJIjAOOZJ7 nlSUBoWVBurWtEpKZaS882wrqGDZJOMt801XqdePDHIpQDX8Xji01b7WpCHvBjz+Zprn /q27SCjLPVyc6gjcqy1NgSJnEPMwDECLMtzEA3coFuL4RFUpF5GvC9nHbNZ4bu0Hypgv jXweU3c1Ge2YtQec8qKs5Z+1hpN36FMeQQapE3rIKMU2NjNl3RWCtRSOOZythdOgvfPb dGqvXXbFYRHR7mSaHst2I0GK2GeZ7przRsE6EeYbQxbMLAyYVHQGEGMYSLyUQp1FObDK uAXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RXw8JkPN79japq4kW3yBbettFloU7RZg4D1eztSYjcQ=; b=HQmMeCitgp/0FUNV6wW8QekyrBHPnpMKuh+wRapwB2EZGCUyPepIwEqhTHn58e1Zu/ zfsAiFH6SpZdLIecCeCvNanSj70FfvP9hHFfXj457BnXsM9aqLPiUnvrMgUysig1j7jH HvZI8d5x+VqkyvDD/pm0OA8DRojHHvJ7qgX9cDxceh5OQCBe57pTHk08NRxa1hmLqSJr RgQAnSutlPLk6xPqSWFNhOQjDTbkFC4mKZO+drqzxEo/PzpI/QHcPMJAtSkfL6V4VcmN jpoEbjaG5q/JJW413cyUxrOfM+XZSLbwuZE2qFHX5+mif+Q8oEnNq9tqgjz2VnzR78jK 1fQA== X-Gm-Message-State: AOAM532cVaHNP7KunUJQJLBXKxKrIZS/8qdSoMZ9XwKh+ECzdJAimdrg MR/BFrQS4VDVkJCTLQ6e2rqeljbi8xw1I44nC9o= X-Google-Smtp-Source: ABdhPJxxhdqcudGdHCKFmJY7yYiZO/RQwWLQjt29PRx10FYdRALuE4ZuFwG+0FuendJ2EUaySP5D0dWKC84f0I1UqlU= X-Received: by 2002:a05:6830:2470:: with SMTP id x48mr4902060otr.358.1626647880005; Sun, 18 Jul 2021 15:38:00 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 19 Jul 2021 00:37:49 +0200 Message-ID: To: AllenJB Cc: Jordan LeDoux , Craig Francis , Marco Pivetta , PHP internals Content-Type: multipart/alternative; boundary="0000000000000ffac705c76d793d" Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: benjamin.morel@gmail.com (Benjamin Morel) --0000000000000ffac705c76d793d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > > There's some BC-breaks to be aware of when switching emulated prepares. > One example I know of is that when using emulated prepares you can reuse > the same placeholder (as in the following example), but with emulated > prepares disabled this does not work. > > $sql =3D "SELECT * FROM table WHERE column1 LIKE CONCAT('%', :searchValue= , > '%') OR column2 LIKE CONCAT('%', :searchValue, '%');"; > $params =3D [ > "searchValue" =3D> "test", > ]; > This, and do note that from a performance point of view, disabling emulated prepares is not innocuous : most of the time, you effectively send twice as many queries to the database : one prepare, one execute. There is a *small* performance improvement in using prepared statements if you're executing the same statement many times; but in all other cases, you're spending twice as much time waiting for the database. Are there documented SQL injection opportunities when using emulated prepares? I'm not aware of any. =E2=80=94 Benjamin --0000000000000ffac705c76d793d--