Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78127 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74799 invoked from network); 17 Oct 2014 04:51:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Oct 2014 04:51:26 -0000 Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.216.176 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.216.176 mail-qc0-f176.google.com Received: from [209.85.216.176] ([209.85.216.176:61073] helo=mail-qc0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E7/25-41372-B40A0445 for ; Fri, 17 Oct 2014 00:51:23 -0400 Received: by mail-qc0-f176.google.com with SMTP id r5so42983qcx.21 for ; Thu, 16 Oct 2014 21:51:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=1PQkcCAOzu8imHZVJBhTzgohbrFZaZZCmEvCcXkU+Os=; b=DJ9iy8OOfoe597SeMNvoyNPd2C9vwE7rcl1k2q/nsI+8ld4ewLbb1jY2e1jDQAgPNT 09iuZDINEmAKHxGuQvhyzW4EXzzXQrasaTBkbb8czWnv3XkzsnVMefYti797BNAZW7Kn 9jZB0k7n1gL8t7GQTzc2XcWACDhtPFt/7Y5mkvrKr67+jqXomcGm8fejksZ3kTKkggHc ts1z+aymPCJG5v9OJrDDJ4uoUGqotjlEeK2uMYm5kAXbrLcz/S78ndzFliXU/IcNHBCZ P9qv+GxTZ9QhpymskUrQScSjUS03y8as57/HB6zICBN8zvTwF+D+ZhTrnMd9RYW0onSF 4uyA== X-Gm-Message-State: ALoCoQmskruts8KhpmBOlDkhl1MYr6rwl4n2ZfW6EmFs4mO6JFpW8ae20O6ZPIkjADT2aWbWJa6A X-Received: by 10.224.32.65 with SMTP id b1mr8792152qad.30.1413521480420; Thu, 16 Oct 2014 21:51:20 -0700 (PDT) Received: from [192.168.200.14] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225]) by mx.google.com with ESMTPSA id k4sm220457qaf.0.2014.10.16.21.51.19 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Oct 2014 21:51:19 -0700 (PDT) Message-ID: <5440A046.8040501@lerdorf.com> Date: Thu, 16 Oct 2014 21:51:18 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: Ferenc Kovacs CC: PHP Internals References:

<543FE883.2070401@lerdorf.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default for PDO_Mysql From: rasmus@lerdorf.com (Rasmus Lerdorf) On 10/16/2014 09:10 AM, Ferenc Kovacs wrote: > I don't think we should remove the option, just change the defaults, and > most people would be fine switching back to the emulation, but it should > be their conscious decision imo. > Currently many people aren't aware that they are using client side > prepares, and they are pretty much ignore the fact, that they can be > exposed to sql injections (for example via using mismatching client and > server encodings or not properly quoting the > identifiers: http://www.codeyellow.nl/identifier-sqli.html because they > think that server side prepared statements would be immune to this kind > of problems). I think you have the wrong idea here. That link you pointed to talks about SQLi in identifiers. Server-side prepares are just as vulnerable to this, so switching from client-side to server-side does nothing to make this safer. As far as a charset mismatch between the client and the server when it comes to preparing query values, PDO's implementation handles that. You need a connection handle to do a prepare so we know the charset and take that into account. -Rasmus