Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59747 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95774 invoked from network); 11 Apr 2012 18:44:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Apr 2012 18:44:57 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 213.123.20.131 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 213.123.20.131 c2bthomr13.btconnect.com Received: from [213.123.20.131] ([213.123.20.131:14207] helo=mail.btconnect.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 01/51-23245-721D58F4 for ; Wed, 11 Apr 2012 14:44:56 -0400 Received: from host81-138-11-136.in-addr.btopenworld.com (EHLO _10.0.0.5_) ([81.138.11.136]) by c2bthomr13.btconnect.com with ESMTP id HAT23609; Wed, 11 Apr 2012 19:44:52 +0100 (BST) Message-ID: <4F85D124.8090300@lsces.co.uk> Date: Wed, 11 Apr 2012 19:44:52 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120312 Firefox/11.0 SeaMonkey/2.8 MIME-Version: 1.0 To: PHP internals References: <4F8540E8.6050503@lsces.co.uk> <4F85A771.1070005@ralphschindler.com> <4F85AC06.50102@lsces.co.uk> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0301.4F85D124.001E, actions=tag X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2012.4.5.53315:17:7.944, ip=81.138.11.136, rules=__MOZILLA_MSGID, __HAS_MSGID, __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __CT, __CT_TEXT_PLAIN, __CTE, URI_ENDS_IN_PHP, __ANY_URI, __URI_NO_MAILTO, __CP_URI_IN_BODY, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_1200_1299, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, RDNS_SUSP, BODY_SIZE_2000_LESS, BODY_SIZE_7000_LESS X-Junkmail-Status: score=10/50, host=c2bthomr13.btconnect.com X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B020D.4F85D124.00F2:SCFSTAT14830815,ss=1,re=-4.000,fgs=0, ip=0.0.0.0, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=multiengine X-Junkmail-IWF: false Subject: Re: [PHP-DEV] [off] PHP: a fractal of bad design From: lester@lsces.co.uk (Lester Caine) Anthony Ferrara wrote: > Even with PDO and older versions of MySQL, you could inject into > prepared statements quite easily (assuming charset settings): > > $var = '1' . chr(0xbf) . chr(0x27) . ' OR 1=1'; > > $pdo = new PDO('mysql:...'); > $pdo->query('SET NAMES GBK'); > $stmt = $pdo->prepare('SELECT * FROM foo WHERE 2 = ?'); > $stmt->bindParam(1, $var); > $stmt->execute(); > > Without setting $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, 0) > first, that will successfully inject into the query thanks to how PDO > emulates prepares. > > A problem that true prepared statements (MySQLi and if PDO has emulate > prepares off) is immune to... Try doing that with a real database ;) Firebird is not susceptible to this sort of problem. And I have still to find any use for PDO in real systems. It's just another layer that gets in the way of processing data securely. Emulating things half cocked is simply another security hole anyway. -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk// Firebird - http://www.firebirdsql.org/index.php