Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60894 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 89820 invoked from network); 19 Jun 2012 21:45:49 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2012 21:45:49 -0000 Authentication-Results: pb1.pair.com header.from=christopher.jones@oracle.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=christopher.jones@oracle.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain oracle.com designates 141.146.126.227 as permitted sender) X-PHP-List-Original-Sender: christopher.jones@oracle.com X-Host-Fingerprint: 141.146.126.227 acsinet15.oracle.com Received: from [141.146.126.227] ([141.146.126.227:40063] helo=acsinet15.oracle.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 37/F0-17328-A03F0EF4 for ; Tue, 19 Jun 2012 17:45:47 -0400 Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q5JLjgU9014566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 19 Jun 2012 21:45:43 GMT Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q5JLjfZB016521 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 19 Jun 2012 21:45:42 GMT Received: from abhmt102.oracle.com (abhmt102.oracle.com [141.146.116.54]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q5JLjcgF012908 for ; Tue, 19 Jun 2012 16:45:41 -0500 Received: from [130.35.70.154] (/130.35.70.154) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 19 Jun 2012 14:45:38 -0700 Message-ID: <4FE0F301.70808@oracle.com> Date: Tue, 19 Jun 2012 14:45:37 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: internals@lists.php.net References: <4FDB5604.5000704@oracle.com> <4FDB62C2.6090702@oracle.com> <4FDC3396.10406@phpdoc.de> In-Reply-To: <4FDC3396.10406@phpdoc.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet22.oracle.com [141.146.126.238] Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default for PDO_Mysql From: christopher.jones@oracle.com (Christopher Jones) On 06/16/2012 12:19 AM, Ulf Wendel wrote: > Am 15.06.2012 18:28, schrieb Christopher Jones: > >> On 06/15/2012 08:34 AM, Ulf Wendel wrote: >>> As long as client-side escaping is done properly, there is no >>> practical difference between the [client vs server -prepare] >>> approaches. >> >> The big problem with this line of reasoning is that the client must >> know exactly the same dialect of SQL/XQUERY/whatever that the server >> does. Since we can't predict the future, and so a new DB might > > Plain wrong. If client does not mess up on type and charsets there is no practical difference between the security of properly done client side escaping and server-side escaping. No matter if the subject of escaping is a fairy tale on goofy or any other > string that happens to look like any other human invented format, e.g. SQL. > > Ulf > We should take this offline - I can see cases where I'd strongly disagree. Chris -- christopher.jones@oracle.com http://twitter.com/#!/ghrd