Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:78128
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93496 invoked from network); 17 Oct 2014 06:59:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Oct 2014 06:59:55 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com  
Received: from [209.85.217.170] ([209.85.217.170:48778] helo=mail-lb0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8B/00-27218-A6EB0445 for <internals@lists.php.net>; Fri, 17 Oct 2014 02:59:55 -0400
Received: by mail-lb0-f170.google.com with SMTP id u10so165295lbd.29
        for <internals@lists.php.net>; Thu, 16 Oct 2014 23:59:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=caqCU1dNrwwmViE9MCMGJEULyMX3iqxnxFoeG8in1Ck=;
        b=fzsjssAfXBOrrrFCsXwgfr7vvse8/I6oxQvYwyiygYmDHTkiIJg9cO/WG9uQJt4hx6
         aIRXmClEvdlUy/9mz1ZLNnoPHboiJrn8wwJAbrlrfO3oAb4lJXNbmU5y7Y2W6k1VqJFt
         Hhg1z8UakLnPbbyNdxBiSZMXYXElMGpTn7iepDsOJ8ojlwGH9CujM32iSPsBSPRBx4OZ
         i0jR+YdqESpr6/wmtzyi4XlmbThV8D/WD3oDhbeHOYf8GSBERKg/DISKgJ2uuWeR94m6
         5iLlXcxBqvk7r5C7cbPiC5sxxTdHyTXQH4vZ1KjGmF2JjgNaXD/SehBKKqigh3KEUkBp
         3NWQ==
MIME-Version: 1.0
X-Received: by 10.153.11.6 with SMTP id ee6mr6686506lad.22.1413529191467; Thu,
 16 Oct 2014 23:59:51 -0700 (PDT)
Received: by 10.112.157.70 with HTTP; Thu, 16 Oct 2014 23:59:51 -0700 (PDT)
Received: by 10.112.157.70 with HTTP; Thu, 16 Oct 2014 23:59:51 -0700 (PDT)
In-Reply-To: <5440A046.8040501@lerdorf.com>
References: <CAAyV7nFciZcsL+AW9W4GbhM+PhM3RhWOJ7G0iBQsEHfSWO2QmA@mail.gmail.com>
	<CAH-PCH6jVcXNtyySeY4EJZt2sQqhXFV=acO_x3HJb2f7WKtMPQ@mail.gmail.com>
	<543FE883.2070401@lerdorf.com>
	<CAH-PCH65qUuZvzu6q6BF80O-peowgB2K9nAWDznEfgOTgcj7eg@mail.gmail.com>
	<5440A046.8040501@lerdorf.com>
Date: Fri, 17 Oct 2014 08:59:51 +0200
Message-ID: <CAH-PCH4mz4gFmH5h2M+KTAQ6uSaSQKm0781QS6i6CoZ5LUBFwA@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1135e6fe565182050598e957
Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default
 for PDO_Mysql
From: tyra3l@gmail.com (Ferenc Kovacs)

--001a1135e6fe565182050598e957
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

2014.10.17. 6:51 ezt =C3=ADrta ("Rasmus Lerdorf" <rasmus@lerdorf.com>):
>
> On 10/16/2014 09:10 AM, Ferenc Kovacs wrote:
> > I don't think we should remove the option, just change the defaults, an=
d
> > most people would be fine switching back to the emulation, but it shoul=
d
> > be their conscious decision imo.
> > Currently many people aren't aware that they are using client side
> > prepares, and they are pretty much ignore the fact, that they can be
> > exposed to sql injections (for example via using mismatching client and
> > server encodings or not properly quoting the
> > identifiers: http://www.codeyellow.nl/identifier-sqli.html because they
> > think that server side prepared statements would be immune to this kind
> > of problems).
>
> I think you have the wrong idea here. That link you pointed to talks
> about SQLi in identifiers. Server-side prepares are just as vulnerable
> to this, so switching from client-side to server-side does nothing to
> make this safer.

Server side prepares does not support parameter binding for identifiers so
while you can still be vulnerable if you concatenate variables into your
query, but you wouldn't think that you are immune to sql injection that way=
.
Emulated prepares make it look like that you are.

>
> As far as a charset mismatch between the client and the server when it
> comes to preparing query values, PDO's implementation handles that. You
> need a connection handle to do a prepare so we know the charset and take
> that into account.

Same thing here, while (since 5.3.6 afair) you are able to pass the
encoding information to the pdo driver (before that you could only use set
names which pdo doesn't care about) the emulation still make it look like
that you are immune, because many people aren't aware of the emulation and
assumes that they are immune to sqli because the params travel as separate
entity from the query to the server.

--001a1135e6fe565182050598e957--