Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:52117
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33191 invoked from network); 30 Apr 2011 19:01:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Apr 2011 19:01:46 -0000
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.212.173 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.212.173 mail-px0-f173.google.com  
Received: from [209.85.212.173] ([209.85.212.173:59364] helo=mail-px0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 32/F4-10915-49C5CBD4 for <internals@lists.php.net>; Sat, 30 Apr 2011 15:01:45 -0400
Received: by pxi16 with SMTP id 16so1384718pxi.32
        for <internals@lists.php.net>; Sat, 30 Apr 2011 12:01:33 -0700 (PDT)
Received: by 10.142.62.8 with SMTP id k8mr2345790wfa.134.1304190093285;
        Sat, 30 Apr 2011 12:01:33 -0700 (PDT)
Received: from [192.168.200.140] (c-76-126-236-132.hsd1.ca.comcast.net [76.126.236.132])
        by mx.google.com with ESMTPS id w11sm4815687wfh.6.2011.04.30.12.01.31
        (version=TLSv1/SSLv3 cipher=OTHER);
        Sat, 30 Apr 2011 12:01:32 -0700 (PDT)
Message-ID: <4DBC5C8B.8090404@lerdorf.com>
Date: Sat, 30 Apr 2011 12:01:31 -0700
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110419 Thunderbird/3.1.9
MIME-Version: 1.0
To: Anthony Ferrara <ircmaxell@gmail.com>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <BANLkTimtRdY_+Jj46jFEqkseuz7WD1ZPZQ@mail.gmail.com>	<4DBC2D1B.10302@lerdorf.com>	<4DBC4885.7010209@sugarcrm.com>	<4DBC4C9A.2050502@lerdorf.com>	<BANLkTikfWW=gczOf3a2c2wQ=bqSJBZH0qg@mail.gmail.com>	<4DBC56D2.8060101@lerdorf.com> <BANLkTinpjwp4_DrRutaQo_=WwMDAnb2BbQ@mail.gmail.com>
In-Reply-To: <BANLkTinpjwp4_DrRutaQo_=WwMDAnb2BbQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Change Request: Make PDO default to not emulate prepared
 statements for MySQL
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On 04/30/2011 11:59 AM, Anthony Ferrara wrote:
> I'm not arguing if there weren't reasons for implementing it this way.
>   I am arguing if they are good enough reasons to justify the security
> impact.  It's not my decision (and I respect that), but I would stress
> that what PDO is doing is not prepared statements or even
> parameterized queries, and as such does not have the same benefits of
> using true prepared statements (and perhaps the documentation needs to
> be updated to reflect that).

How is native prepared statements any more secure than emulated ones? 
Neither will completely protect you against SQLi.

-Rasmus