Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60855 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40635 invoked from network); 16 Jun 2012 07:20:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Jun 2012 07:20:02 -0000 Authentication-Results: pb1.pair.com header.from=ulf.wendel@phpdoc.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=ulf.wendel@phpdoc.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain phpdoc.de from 212.227.17.10 cause and error) X-PHP-List-Original-Sender: ulf.wendel@phpdoc.de X-Host-Fingerprint: 212.227.17.10 moutng.kundenserver.de Received: from [212.227.17.10] ([212.227.17.10:64573] helo=moutng.kundenserver.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EB/51-27230-1A33CDF4 for ; Sat, 16 Jun 2012 03:20:02 -0400 Received: from [192.168.2.27] (p5B3EB025.dip.t-dialin.net [91.62.176.37]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0LcTPG-1SEx0V3y3K-00jLe1; Sat, 16 Jun 2012 09:19:58 +0200 Message-ID: <4FDC3396.10406@phpdoc.de> Date: Sat, 16 Jun 2012 09:19:50 +0200 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: internals@lists.php.net References: <4FDB5604.5000704@oracle.com> <4FDB62C2.6090702@oracle.com> In-Reply-To: <4FDB62C2.6090702@oracle.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:bXh51eUmIh1j/vIzIT9S7Cbt//iHQj9z9tiSZT4Jb7H t29IohxXdRcY+9Pb4/x/fClr7Q/CRKha8aId8jZEkHpUMiNGwU RHqF3JKLfMh3LxGInvb6cTz1WOLlXi1OIrDnTW9WDvvFjcK0FV 0wDqWyKkPcOMaGKGfKzyFOvPmsaIEVmm25ItyFVTVkb03f8G9/ H00zlzsxXun9Dy5ovWlgZDoJUfOYxUtUJVhO1vlQEbapfz76Rd LGZ9eCwMnfP0mITmxpGBfX4PzbozCpzcMtbfMVKdKInBgWKSHL CzXygNC5HcaSnugCghr8Mm5GgwUmPLzPnKJISK+MIgLKNjMNes y29ORD5NM4qipLU+iUYo= Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default for PDO_Mysql From: ulf.wendel@phpdoc.de (Ulf Wendel) Am 15.06.2012 18:28, schrieb Christopher Jones: > On 06/15/2012 08:34 AM, Ulf Wendel wrote: >> As long as client-side escaping is done properly, there is no >> practical difference between the [client vs server -prepare] >> approaches. > > The big problem with this line of reasoning is that the client must > know exactly the same dialect of SQL/XQUERY/whatever that the server > does. Since we can't predict the future, and so a new DB might Plain wrong. If client does not mess up on type and charsets there is no practical difference between the security of properly done client side escaping and server-side escaping. No matter if the subject of escaping is a fairy tale on goofy or any other string that happens to look like any other human invented format, e.g. SQL. Ulf