Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:52121 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 44282 invoked from network); 30 Apr 2011 19:58:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Apr 2011 19:58:40 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.215.42 mail-ew0-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:38418] helo=mail-ew0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AA/E6-10915-EE96CBD4 for ; Sat, 30 Apr 2011 15:58:39 -0400 Received: by ewy2 with SMTP id 2so1437266ewy.29 for ; Sat, 30 Apr 2011 12:58:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=yQkFeVb3zXP3HrejJU/YBlqKF4h4XBNkQ9Rgag2rmHU=; b=tRpyqWX1vGcH3SPJEp9gpEgfgDOJI/97o3N81a71+X9eCvQayS62d2d/8I2LDwDypF P2u9BMr9Z8FhuwKsV/W4URg8CaotfD3B6mgjHFrtExEaMNf7HNRN3FOogtxfWjX+S0iO E3uG30vdnuT6EWP3+d5sn4Wt6WlbTjlxwOq0I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=ELFS8dnb6TJoYqLyCujpV1sACgFlhOUy7eQsbeWylYI4VP8CVK8KHOh+wQvd5wLnhN ISazU8alGWVWerJjXp2xR5O022UkdixWmIMDsHV6vZwZAfYZtb1NaxwIUb/iE9jLLTD0 gLpOtBDqe8azrcztVQSCnhxjdCAwnIzsRbNcg= MIME-Version: 1.0 Received: by 10.14.4.157 with SMTP id 29mr2515536eej.135.1304193515801; Sat, 30 Apr 2011 12:58:35 -0700 (PDT) Sender: tyra3l@gmail.com Received: by 10.14.127.79 with HTTP; Sat, 30 Apr 2011 12:58:35 -0700 (PDT) In-Reply-To: <4DBC5C8B.8090404@lerdorf.com> References: <4DBC2D1B.10302@lerdorf.com> <4DBC4885.7010209@sugarcrm.com> <4DBC4C9A.2050502@lerdorf.com> <4DBC56D2.8060101@lerdorf.com> <4DBC5C8B.8090404@lerdorf.com> Date: Sat, 30 Apr 2011 21:58:35 +0200 X-Google-Sender-Auth: RdjgzlHvelVToIw_g1DqaBSgsVw Message-ID: To: Rasmus Lerdorf Cc: Anthony Ferrara , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=0016364163143a4bc904a228379c Subject: Re: [PHP-DEV] Change Request: Make PDO default to not emulate prepared statements for MySQL From: info@tyrael.hu (Ferenc Kovacs) --0016364163143a4bc904a228379c Content-Type: text/plain; charset=UTF-8 On Sat, Apr 30, 2011 at 9:01 PM, Rasmus Lerdorf wrote: > On 04/30/2011 11:59 AM, Anthony Ferrara wrote: > >> I'm not arguing if there weren't reasons for implementing it this way. >> I am arguing if they are good enough reasons to justify the security >> impact. It's not my decision (and I respect that), but I would stress >> that what PDO is doing is not prepared statements or even >> parameterized queries, and as such does not have the same benefits of >> using true prepared statements (and perhaps the documentation needs to >> be updated to reflect that). >> > > How is native prepared statements any more secure than emulated ones? > Neither will completely protect you against SQLi. > > -Rasmus > > real prepared statements push the parameter binding to the server, so you have only one component where things could go wrong, with emulated prepared statements you can be screwed both via the php parameter binding or when the query is executed on the server (for example via the misunderstanding in the encoding by the php lib and the mysql server) Tyrael --0016364163143a4bc904a228379c--