Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78121 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30966 invoked from network); 16 Oct 2014 17:40:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Oct 2014 17:40:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=php-dev.list@daevel.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=php-dev.list@daevel.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain daevel.net designates 178.32.94.222 as permitted sender) X-PHP-List-Original-Sender: php-dev.list@daevel.net X-Host-Fingerprint: 178.32.94.222 licorne.daevel.fr Received: from [178.32.94.222] ([178.32.94.222:42441] helo=licorne.daevel.fr) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2E/D7-11594-4F200445 for ; Thu, 16 Oct 2014 13:40:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=daevel.net; s=default; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID; bh=aYcF6fXx3anonCyGmG9fBp2I2l/Dkj+VLWZj7m7XrKY=; b=IJ2f+3xGfWSWfImI2CoqTsYnOVkDUfhHmDFfU0L5LbHVX3wmAdo3v3DDgpOJinS4cXoCERt3/2u6jgnh49sl0fQeei4wpcTFwWwvNp6yIgUD44SFMfgv4peIMnhr7eIf; Received: from sal69-4-78-192-172-15.fbxo.proxad.net ([78.192.172.15] helo=boolette) by licorne.daevel.fr with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1Xep1s-0000Ay-Bp; Thu, 16 Oct 2014 19:40:00 +0200 Message-ID: <1413481197.3616.0.camel@daevel.net> To: Ferenc Kovacs Cc: Rasmus Lerdorf , Anthony Ferrara , PHP Internals Date: Thu, 16 Oct 2014 19:39:57 +0200 In-Reply-To: References: <543FE883.2070401@lerdorf.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.7-1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default for PDO_Mysql From: php-dev.list@daevel.net (Olivier Bonvalet) Le jeudi 16 octobre 2014 à 18:10 +0200, Ferenc Kovacs a écrit : > On Thu, Oct 16, 2014 at 5:47 PM, Rasmus Lerdorf wrote: > > > On 10/16/2014 04:27 AM, Ferenc Kovacs wrote: > > > On Fri, Jun 15, 2012 at 3:01 AM, Anthony Ferrara > > > wrote: > > > > > >> Hello all, > > >> > > >> I raised this topic on list over a year ago ( > > >> http://marc.info/?l=php-internals&m=130417646507744&w=2 ). It was > > >> determined that it wasn't time yet to disable prepared statement > > >> emulation for MySQL yet. However, Rasmus did mention that it was a > > >> possibility for 5.4 ( > > >> http://marc.info/?l=php-internals&m=130418875017027&w=2 ). Since that > > >> ship has sailed, I submitted a pull request for trunk to change the > > >> default value of prepared statement emulation for MySQL. > > >> > > >> https://github.com/php/php-src/pull/108 > > >> > > >> https://bugs.php.net/bug.php?id=54638 > > >> > > >> Does this need to be an RFC (should I draft one)? Or can it just be > > >> pulled as-is? > > >> > > >> Thanks, > > >> > > >> Anthony > > >> > > >> -- > > >> PHP Internals - PHP Runtime Development Mailing List > > >> To unsubscribe, visit: http://www.php.net/unsub.php > > >> > > >> > > > hi, > > > > > > do we want to change the default for this in PHP7? > > > > Honestly, I am not sure about this anymore. There is a significant > > performance benefit in doing client-side prepares. Last year I attempted > > to switch to server-side prepares on Etsy's production servers but it > > added 30-40ms of page latency because of the extra round trips. And yes, > > we were doing too many queries, but I fear if we change this default > > people won't understand where this slowdown is coming from. > > > > Of course, in some rare cases using server-side prepares might speed > > things up because of prepared statement caching in the server, but I > > have yet to see a case where that caching outweighs the extra tcp > > roundtrip overhead. > > > > I do agree that the default should probably be server-side since it is > > the least surprising. We just need to make it very very clear in the > > upgrade doc that this change will likely slow down peoples' apps and > > show them how to turn client-side prepares back on. > > > > -Rasmus > > > > I don't think we should remove the option, just change the defaults, and > most people would be fine switching back to the emulation, but it should be > their conscious decision imo. > Currently many people aren't aware that they are using client side > prepares, and they are pretty much ignore the fact, that they can be > exposed to sql injections (for example via using mismatching client and > server encodings or not properly quoting the identifiers: > http://www.codeyellow.nl/identifier-sqli.html because they think that > server side prepared statements would be immune to this kind of problems). > I think it would be better to change the default in a major version, if the > tradeoff is performance vs security, and if they think that they are okay > with the emulation, they can change it back. > > > ps: > don't forget that some/many of our users are still using php on a single > server setup, where the mysql connection is done through a unix socket > instead of the network stack, so the roundtrip there will be even less > noticable, and usually those are the kind of users, who need safe defaults > because they can't afford to be aware or change settings/code for their > apps. > Hi, for me there is two usage of prepared statements : #1 : safely handle variables #2 : performance in batch traitments The first one want emulated prepared statments and the second need true prepared. It's possible to add a simplier method for the first one case, and let prepare() do a true prepare by default. For example here we extends PDO to add the q() shortcut. This shortcut basicaly do that : public function q($statement, array $params) { $stmt = $this->prepare($statement, [PDO::MYSQL_ATTR_DIRECT_QUERY => true]); return $stmt->execute($params); }