Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78119 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 23988 invoked from network); 16 Oct 2014 16:10:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Oct 2014 16:10:40 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.176 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.176 mail-qc0-f176.google.com Received: from [209.85.216.176] ([209.85.216.176:52462] helo=mail-qc0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/E6-11594-DFDEF345 for ; Thu, 16 Oct 2014 12:10:38 -0400 Received: by mail-qc0-f176.google.com with SMTP id r5so2996557qcx.7 for ; Thu, 16 Oct 2014 09:10:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6+ThsRtrp1eLkCzoTy00HsUmoCW5r05a+kzumHKUhEM=; b=UV5PsG0weFc3+LHUJhx+FVvY7TVXJGUBYCUoBd0VmlcHqqeOePxy7/lM1vL7lsB93N wfUEj1NITutovtlfWsP9hOVf8TJBh3sp8Q4pPp1Kv+rLYa5I88N+CXrK1wklEUbVBcMC 7X09RowPdOwNFIdosbc4eubSX2wSQCzBvWm0r6Kmm9WrDq5remSL5ASrZd+sL8KXKke4 P6LQwP1GyGnongKGaSHX2GZdZ7s2Xbl7vGLCbRHcMdvbaEeL17JSZZfZKLmClRN87HcM H9DzTNU6Zbo1iz7PVR6ETCqgHr43zg7H4ZRvAZI0Y4T1LX6RXjJ4XMQY9ENVaB7nLWML 7ZmA== MIME-Version: 1.0 X-Received: by 10.140.36.149 with SMTP id p21mr3166833qgp.101.1413475834485; Thu, 16 Oct 2014 09:10:34 -0700 (PDT) Received: by 10.140.107.130 with HTTP; Thu, 16 Oct 2014 09:10:34 -0700 (PDT) In-Reply-To: <543FE883.2070401@lerdorf.com> References: <543FE883.2070401@lerdorf.com> Date: Thu, 16 Oct 2014 18:10:34 +0200 Message-ID: To: Rasmus Lerdorf Cc: Anthony Ferrara , PHP Internals Content-Type: multipart/alternative; boundary=001a11c13f44036a0905058c7da0 Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default for PDO_Mysql From: tyra3l@gmail.com (Ferenc Kovacs) --001a11c13f44036a0905058c7da0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, Oct 16, 2014 at 5:47 PM, Rasmus Lerdorf wrote: > On 10/16/2014 04:27 AM, Ferenc Kovacs wrote: > > On Fri, Jun 15, 2012 at 3:01 AM, Anthony Ferrara > > wrote: > > > >> Hello all, > >> > >> I raised this topic on list over a year ago ( > >> http://marc.info/?l=3Dphp-internals&m=3D130417646507744&w=3D2 ). It wa= s > >> determined that it wasn't time yet to disable prepared statement > >> emulation for MySQL yet. However, Rasmus did mention that it was a > >> possibility for 5.4 ( > >> http://marc.info/?l=3Dphp-internals&m=3D130418875017027&w=3D2 ). Since= that > >> ship has sailed, I submitted a pull request for trunk to change the > >> default value of prepared statement emulation for MySQL. > >> > >> https://github.com/php/php-src/pull/108 > >> > >> https://bugs.php.net/bug.php?id=3D54638 > >> > >> Does this need to be an RFC (should I draft one)? Or can it just be > >> pulled as-is? > >> > >> Thanks, > >> > >> Anthony > >> > >> -- > >> PHP Internals - PHP Runtime Development Mailing List > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > > hi, > > > > do we want to change the default for this in PHP7? > > Honestly, I am not sure about this anymore. There is a significant > performance benefit in doing client-side prepares. Last year I attempted > to switch to server-side prepares on Etsy's production servers but it > added 30-40ms of page latency because of the extra round trips. And yes, > we were doing too many queries, but I fear if we change this default > people won't understand where this slowdown is coming from. > > Of course, in some rare cases using server-side prepares might speed > things up because of prepared statement caching in the server, but I > have yet to see a case where that caching outweighs the extra tcp > roundtrip overhead. > > I do agree that the default should probably be server-side since it is > the least surprising. We just need to make it very very clear in the > upgrade doc that this change will likely slow down peoples' apps and > show them how to turn client-side prepares back on. > > -Rasmus > I don't think we should remove the option, just change the defaults, and most people would be fine switching back to the emulation, but it should be their conscious decision imo. Currently many people aren't aware that they are using client side prepares, and they are pretty much ignore the fact, that they can be exposed to sql injections (for example via using mismatching client and server encodings or not properly quoting the identifiers: http://www.codeyellow.nl/identifier-sqli.html because they think that server side prepared statements would be immune to this kind of problems). I think it would be better to change the default in a major version, if the tradeoff is performance vs security, and if they think that they are okay with the emulation, they can change it back. ps: don't forget that some/many of our users are still using php on a single server setup, where the mysql connection is done through a unix socket instead of the network stack, so the roundtrip there will be even less noticable, and usually those are the kind of users, who need safe defaults because they can't afford to be aware or change settings/code for their apps. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --001a11c13f44036a0905058c7da0--