Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:78133
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24722 invoked from network); 17 Oct 2014 11:47:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Oct 2014 11:47:11 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6
Received: from [217.147.176.214] ([217.147.176.214:35504] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DA/15-30834-EB101445 for <internals@lists.php.net>; Fri, 17 Oct 2014 07:47:11 -0400
Received: (qmail 22116 invoked by uid 89); 17 Oct 2014 11:47:07 -0000
Received: by simscan 1.3.1 ppid: 22110, pid: 22113, t: 0.2303s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.8?) (lester@rainbowdigitalmedia.org.uk@86.169.173.193)
  by mail4.serversure.net with ESMTPA; 17 Oct 2014 11:47:07 -0000
Message-ID: <544101B9.6080601@lsces.co.uk>
Date: Fri, 17 Oct 2014 12:47:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAAyV7nFciZcsL+AW9W4GbhM+PhM3RhWOJ7G0iBQsEHfSWO2QmA@mail.gmail.com> <CAH-PCH6jVcXNtyySeY4EJZt2sQqhXFV=acO_x3HJb2f7WKtMPQ@mail.gmail.com> <543FE883.2070401@lerdorf.com> <54400765.90802@oracle.com> <5440E696.8050900@lsces.co.uk> <5440ECC4.4070903@phpdoc.de>
In-Reply-To: <5440ECC4.4070903@phpdoc.de>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default
 for PDO_Mysql
From: lester@lsces.co.uk (Lester Caine)

On 17/10/14 11:17, Ulf Wendel wrote:
> Am 17.10.2014 um 11:51 schrieb Lester Caine:
>> On 16/10/14 18:59, christopher jones wrote:
> 
>> Ulf stated early on in this thread re MySQL
>>>  - statement and parameter are send to the server independently
>>>  - the server builds the final statement string 
>>
>> Is this ACTUALLY how it works? Since other engines prepare the statement
> 
> I thought this was a mailing list about PHP. I even believed from the
> headline the question would be whether PHP users of MySQL would like to
> change an API default setting. But no, its about explaining the MySQL
> source code to Firebird lovers.

Since it is the object of PDO to create a level playing field then just
how each engine handles the process is what is important so that PHP
users know what they are getting and where the real security holes are.
ATTR_EMULATE_PREPARES may well be a potential security hole and having
to live with sites that have adopted PDO_Mysql I'd like to understand
just what the process between PDO and MySQL is so I know if I have to
worry or not. Yes it may affect if I take the time to switch those sites
from MySQL, and maintaining them is complicated by the level of 'attack'
instigated trying to find the weaknesses, so if you switch this off do I
need simply to switch it back on, or take other action.

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk