Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59754
Return-Path: <johannes@schlueters.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15312 invoked from network); 11 Apr 2012 21:05:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2012 21:05:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error)
X-PHP-List-Original-Sender: johannes@schlueters.de
X-Host-Fingerprint: 217.114.211.66 config.schlueters.de  
Received: from [217.114.211.66] ([217.114.211.66:42564] helo=config.schlueters.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 80/A4-23245-112F58F4 for <internals@lists.php.net>; Wed, 11 Apr 2012 17:05:22 -0400
Received: from [192.168.2.230] (unknown [188.174.57.108])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(Client did not present a certificate)
	by config.schlueters.de (Postfix) with ESMTPSA id E9DDB602FD;
	Wed, 11 Apr 2012 23:05:18 +0200 (CEST)
To: Lester Caine <lester@lsces.co.uk>
Cc: PHP internals <internals@lists.php.net>
In-Reply-To: <4F85D124.8090300@lsces.co.uk>
References:
	 <CAPmfwEnMypV6DFRnRsnCvj+KQk1JG54TX3r1DNHQO3QQ0f+hjA@mail.gmail.com>
	 <CAGa2bXZ6_rjZoYX1nbRx--EJS1rBouo+0bB3o3xjQT9W+VZy_w@mail.gmail.com>
	 <4F8540E8.6050503@lsces.co.uk> <4F85A771.1070005@ralphschindler.com>
	 <4F85AC06.50102@lsces.co.uk>
	 <CAAyV7nHeB7Ch2MLxdpbCH06QnsmmQets+wj28BkwhfCF24WXFw@mail.gmail.com>
	 <4F85D124.8090300@lsces.co.uk>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 11 Apr 2012 23:05:18 +0200
Message-ID: <1334178318.4609.134.camel@guybrush>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [off] PHP: a fractal of bad design
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Wed, 2012-04-11 at 19:44 +0100, Lester Caine wrote:
> Anthony Ferrara wrote:
> > Even with PDO and older versions of MySQL, you could inject into
> > prepared statements quite easily (assuming charset settings):
> >
> > $var = '1' . chr(0xbf) . chr(0x27) . ' OR 1=1';
> >
> > $pdo = new PDO('mysql:...');
> > $pdo->query('SET NAMES GBK');
> > $stmt = $pdo->prepare('SELECT * FROM foo WHERE 2 = ?');
> > $stmt->bindParam(1, $var);
> > $stmt->execute();
> >
> > Without setting $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, 0)
> > first, that will successfully inject into the query thanks to how PDO
> > emulates prepares.
> >
> > A problem that true prepared statements (MySQLi and if PDO has emulate
> > prepares off) is immune to...
> 
> Try doing that with a real database ;)

If PDO decided to use emulation by default (which has benefits like
fewer roundtrips etc.) it's not necessarily the issue from the database.

And that this doesn't work is obvious with emulation - PDO doesn't parse
the SQL and has no understanding of "SET NAMES", neither does the MySQL
client lib used. The proper way to set the encoding is by using the
DSN's charset option.

johannes