Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:52119 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 36709 invoked from network); 30 Apr 2011 19:12:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Apr 2011 19:12:06 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.210.42 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.210.42 mail-pz0-f42.google.com Received: from [209.85.210.42] ([209.85.210.42:36155] helo=mail-pz0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 50/B5-10915-50F5CBD4 for ; Sat, 30 Apr 2011 15:12:06 -0400 Received: by pzk37 with SMTP id 37so2771372pzk.29 for ; Sat, 30 Apr 2011 12:12:02 -0700 (PDT) Received: by 10.68.18.3 with SMTP id s3mr7083282pbd.246.1304190722240; Sat, 30 Apr 2011 12:12:02 -0700 (PDT) Received: from [192.168.200.140] (c-76-126-236-132.hsd1.ca.comcast.net [76.126.236.132]) by mx.google.com with ESMTPS id y5sm2718754pbq.57.2011.04.30.12.12.00 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 30 Apr 2011 12:12:01 -0700 (PDT) Message-ID: <4DBC5F00.3090309@lerdorf.com> Date: Sat, 30 Apr 2011 12:12:00 -0700 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110419 Thunderbird/3.1.9 MIME-Version: 1.0 To: Anthony Ferrara CC: "internals@lists.php.net" References: <4DBC2D1B.10302@lerdorf.com> <4DBC4885.7010209@sugarcrm.com> <4DBC4C9A.2050502@lerdorf.com> <4DBC56D2.8060101@lerdorf.com> <4DBC5C8B.8090404@lerdorf.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Change Request: Make PDO default to not emulate prepared statements for MySQL From: rasmus@lerdorf.com (Rasmus Lerdorf) On 04/30/2011 12:05 PM, Anthony Ferrara wrote: > Native prepared statements will completely protect you from injection > via any of the bound parameters. The wire-level passage of the data > is completely different (and the data is sent by length, rather than > by deliminator). As an exercise, view the traffic that's sent to the > server via Wireshark... As such, they are not subject to proper > escaping by character set. As long as PDO and MySQL agree on which character set is in use bound parameters are safe in emulated prepares as well. -Rasmus