Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:52118 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35112 invoked from network); 30 Apr 2011 19:05:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Apr 2011 19:05:42 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.160.42 mail-pw0-f42.google.com Received: from [209.85.160.42] ([209.85.160.42:39938] helo=mail-pw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C4/65-10915-58D5CBD4 for ; Sat, 30 Apr 2011 15:05:42 -0400 Received: by pwj3 with SMTP id 3so2375331pwj.29 for ; Sat, 30 Apr 2011 12:05:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=CiYmvpSgctVaLvwD3O9orw1eutWE3LbxMsxFUA8SQZM=; b=aYHyzXjP/1TPXR/UIoDmu800UgY5DkmOaWVoUSdvAWIEDWCoPy/oCL1SNz0Ubt0EQj NZ0/5uK78V00Fn/qjqRQkZUz+UeBi4SwCx3FVXOwY1IdCjx/AUjwByAMTbFBfVzYhCzq in6QpO+knHmt3g1TwdNM1ZUd4Fv7VdeDuZ/yY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=OOAu8Upoq2s4Kyuqmu/bjbZS44RvJSsMnvRFMfW23wjbY7gtxKaJjMjBn7hREubCrW TF9baRver2Nxl60sSTeN+PjtAAb5OOfwEGPSMJ5lmLts9povEq/CQKkQKQn2HWPZyKl4 roQVBstUbCSO8SOvYpG0ewW2Qok7pkiqtok0g= MIME-Version: 1.0 Received: by 10.68.41.8 with SMTP id b8mr1518599pbl.277.1304190338844; Sat, 30 Apr 2011 12:05:38 -0700 (PDT) Received: by 10.68.54.199 with HTTP; Sat, 30 Apr 2011 12:05:38 -0700 (PDT) In-Reply-To: <4DBC5C8B.8090404@lerdorf.com> References: <4DBC2D1B.10302@lerdorf.com> <4DBC4885.7010209@sugarcrm.com> <4DBC4C9A.2050502@lerdorf.com> <4DBC56D2.8060101@lerdorf.com> <4DBC5C8B.8090404@lerdorf.com> Date: Sat, 30 Apr 2011 15:05:38 -0400 Message-ID: To: Rasmus Lerdorf Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Change Request: Make PDO default to not emulate prepared statements for MySQL From: ircmaxell@gmail.com (Anthony Ferrara) Native prepared statements will completely protect you from injection via any of the bound parameters. The wire-level passage of the data is completely different (and the data is sent by length, rather than by deliminator). As an exercise, view the traffic that's sent to the server via Wireshark... As such, they are not subject to proper escaping by character set. On Sat, Apr 30, 2011 at 3:01 PM, Rasmus Lerdorf wrote: > On 04/30/2011 11:59 AM, Anthony Ferrara wrote: >> >> I'm not arguing if there weren't reasons for implementing it this way. >> =A0I am arguing if they are good enough reasons to justify the security >> impact. =A0It's not my decision (and I respect that), but I would stress >> that what PDO is doing is not prepared statements or even >> parameterized queries, and as such does not have the same benefits of >> using true prepared statements (and perhaps the documentation needs to >> be updated to reflect that). > > How is native prepared statements any more secure than emulated ones? > Neither will completely protect you against SQLi. > > -Rasmus >