Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78136 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34831 invoked from network); 17 Oct 2014 13:09:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Oct 2014 13:09:08 -0000 Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6 Received: from [217.147.176.214] ([217.147.176.214:47505] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F6/F6-30834-3F411445 for ; Fri, 17 Oct 2014 09:09:08 -0400 Received: (qmail 5717 invoked by uid 89); 17 Oct 2014 13:09:04 -0000 Received: by simscan 1.3.1 ppid: 5711, pid: 5714, t: 0.1936s scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677 Received: from unknown (HELO ?10.0.0.8?) (lester@rainbowdigitalmedia.org.uk@86.169.173.193) by mail4.serversure.net with ESMTPA; 17 Oct 2014 13:09:04 -0000 Message-ID: <544114EF.8080903@lsces.co.uk> Date: Fri, 17 Oct 2014 14:09:03 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: internals@lists.php.net References: <543FE883.2070401@lerdorf.com> <54400765.90802@oracle.com> <5440E696.8050900@lsces.co.uk> <5440ECC4.4070903@phpdoc.de> <544101B9.6080601@lsces.co.uk> <54410970.2020100@phpdoc.de> In-Reply-To: <54410970.2020100@phpdoc.de> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default for PDO_Mysql From: lester@lsces.co.uk (Lester Caine) On 17/10/14 13:20, Ulf Wendel wrote: >> users know what they are getting and where the real security holes are. > Hmm, maybe, you could make this world a better one by contributing to > improve http://php.net/manual/en/pdo.prepared-statements.php ? PDO does not support management of SQL differences between databases. This page is a good example of where users run into problems because they have no idea if what they are copying actually works on their particular database. Does MySQL need ATTR_EMULATE_PREPARES in order to convert client side the SQL that it feeds over to the server? If I am converting from one database to another just what is actually supported and how? I don't use PDO with Firebird if I can help it but I am having to work with this where mysql hosting is the norm and PDO_mysql is an alternative that gets provided instead of mysqli. *I* have trouble sorting this stuff out so how do users who currently have working sites cope when things under the hood change perhaps without them even knowing. I can quite happily add notes as to what Firebird does with the various abstractions on that page, but what about every other PDO driver. Which emulate aspects of the prepares and which do it natively? Just what does get emulated? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk