Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:52120
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38165 invoked from network); 30 Apr 2011 19:18:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Apr 2011 19:18:03 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.170 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 74.125.83.170 mail-pv0-f170.google.com  
Received: from [74.125.83.170] ([74.125.83.170:42010] helo=mail-pv0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8C/F5-10915-A606CBD4 for <internals@lists.php.net>; Sat, 30 Apr 2011 15:18:03 -0400
Received: by pvg16 with SMTP id 16so2929431pvg.29
        for <internals@lists.php.net>; Sat, 30 Apr 2011 12:17:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        bh=x32/WqSSM56Q8L1kW67Mf3RI8iYL7yEunTdcPJGLSBQ=;
        b=JyAMGgdXNmVVSwuRpom5c62/OxCS3gI3R08/qe94aEUOwtgsNkI8Tp3ZIc5Rlm0k52
         JmwzkJuHz312rDd+TOkCrM+BRh/PkwkfatyfGD6WINlAcbPBKB9ZDEiLfBmcD5/18NTj
         wtnf3AT1O8AgKKrhWsDRJpiHZw1QS1SbkGa5g=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        b=dQjl23FYh47vII1QVDYyjHRAMW9QqO09A+1+a0BeOkKyZjtU38OUcLRgAPF4qR62V1
         gGKa6PbK7V7uhgiPwWQBpaydc1rD9AkNzUlySsgR3FTZzEj45Sgs0v8yNShU+U46BrNJ
         PNf0vmQ7+njWdg+6d+c52RcAv1whCfcETJlK0=
MIME-Version: 1.0
Received: by 10.68.20.135 with SMTP id n7mr84482pbe.143.1304191079764; Sat, 30
 Apr 2011 12:17:59 -0700 (PDT)
Received: by 10.68.54.199 with HTTP; Sat, 30 Apr 2011 12:17:59 -0700 (PDT)
In-Reply-To: <4DBC5F00.3090309@lerdorf.com>
References: <BANLkTimtRdY_+Jj46jFEqkseuz7WD1ZPZQ@mail.gmail.com>
	<4DBC2D1B.10302@lerdorf.com>
	<4DBC4885.7010209@sugarcrm.com>
	<4DBC4C9A.2050502@lerdorf.com>
	<BANLkTikfWW=gczOf3a2c2wQ=bqSJBZH0qg@mail.gmail.com>
	<4DBC56D2.8060101@lerdorf.com>
	<BANLkTinpjwp4_DrRutaQo_=WwMDAnb2BbQ@mail.gmail.com>
	<4DBC5C8B.8090404@lerdorf.com>
	<BANLkTi=N7+gb29grnx6yFQX5vL-DQhiHHg@mail.gmail.com>
	<4DBC5F00.3090309@lerdorf.com>
Date: Sat, 30 Apr 2011 15:17:59 -0400
Message-ID: <BANLkTikWjwNS6j8B2T7V2wchzL159DRccw@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Change Request: Make PDO default to not emulate
 prepared statements for MySQL
From: ircmaxell@gmail.com (Anthony Ferrara)

Correct.  But prior to 5.3.6 it was not possible to have PDO and MySQL
agree on the character set (at least without having root access to the
server).  And after 5.3.6, the DSN *must* include the charset
parameter to make them agree.  The common technique of setting the
charset via SET NAMES (which most frameworks and libraries do) will
not work.  So instead you have people using prepared statements
thinking that they are safe (since all documentation says so) while
they are actually not.

My suggestion is to make them actually safe right from the source
rather than requiring an API change.  The best solution would be
education and raising awareness as well as fixing it in the core.  The
code is there to do so, all it takes is a single bit change in the
source...

Again, that's just my opinion...

Anthony

On Sat, Apr 30, 2011 at 3:12 PM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:
> On 04/30/2011 12:05 PM, Anthony Ferrara wrote:
>>
>> Native prepared statements will completely protect you from injection
>> via any of the bound parameters. =A0The wire-level passage of the data
>> is completely different (and the data is sent by length, rather than
>> by deliminator). =A0As an exercise, view the traffic that's sent to the
>> server via Wireshark... =A0As such, they are not subject to proper
>> escaping by character set.
>
> As long as PDO and MySQL agree on which character set is in use bound
> parameters are safe in emulated prepares as well.
>
> -Rasmus
>