Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:78897
Return-Path: <peter.wolanin@acquia.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54091 invoked from network); 14 Nov 2014 01:22:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Nov 2014 01:22:05 -0000
Authentication-Results: pb1.pair.com header.from=peter.wolanin@acquia.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=peter.wolanin@acquia.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain acquia.com designates 64.18.2.167 as permitted sender)
X-PHP-List-Original-Sender: peter.wolanin@acquia.com
X-Host-Fingerprint: 64.18.2.167 exprod7og107.obsmtp.com Linux 2.5 (sometimes 2.4) (4)
Received: from [64.18.2.167] ([64.18.2.167:39752] helo=mail-ie0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 92/A1-45648-A3955645 for <internals@lists.php.net>; Thu, 13 Nov 2014 20:22:03 -0500
Received: from mail-ie0-f170.google.com ([209.85.223.170]) (using TLSv1) by exprod7ob107.postini.com ([64.18.6.12]) with SMTP
	ID DSNKVGVZOIuhoG14qUre6tW5cAevKwCVrivl@postini.com; Thu, 13 Nov 2014 17:22:03 PST
Received: by mail-ie0-f170.google.com with SMTP id tp5so17274914ieb.1
        for <internals@lists.php.net>; Thu, 13 Nov 2014 17:22:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=joGT0ekH3jEeLEBwFZRTUpl+gDcOstP+l9nRBXYJR1U=;
        b=MKX06lNfLQrgeGisUY+oounRm+0AiiAis07h68/fG234E+5RiLrfyyzdv77mGUYzoJ
         qyvebBLlLkOLU9+vXfZGWl4X/Xuxa0FOwa1B7mt3FAyP6Hm7cAkyL6pcFLXSn01jPZ6A
         xaBgf0CVdbrsxAd4ihlIq4APSxscRyy7Rk8NR1evYipoW/RWNC4VOykz1TAtiPZrXNC1
         ub7XMBzzR3KpZjQgGF+1K7SqpsYQVxQ6D4q9ks9f9wsn0Y0V6Mt1OvT2GUt7mRSesaoG
         0FsTyVwP6vJudQAvPm5eG4Vuu33xo+cES01NKvEr3dxLpmE5/2Z8XUq32BooE4YFMT/P
         VLrg==
X-Received: by 10.42.126.82 with SMTP id d18mr1161786ics.54.1415928120258;
        Thu, 13 Nov 2014 17:22:00 -0800 (PST)
X-Gm-Message-State: ALoCoQmUYkIhXaj9O9IqxU+VBngw/1feYzKI0K+ak6/rQqPrOywoij08xLExtL7DobGmEOyALQo34CFV1k/nK38o3TbpvTRkd81AhbpKGtqw39O5xbB95Ors/+TipJWU1MVp9KlcUJdTSPZ2iiNkylS87z/X8CPIlA==
MIME-Version: 1.0
X-Received: by 10.42.126.82 with SMTP id d18mr1161766ics.54.1415928120011;
 Thu, 13 Nov 2014 17:22:00 -0800 (PST)
Received: by 10.42.107.80 with HTTP; Thu, 13 Nov 2014 17:21:59 -0800 (PST)
In-Reply-To: <1415638978.23992.4.camel@kuechenschabe>
References: <CAH0thKDOOV0DT5=DJRmoePXOtJhzJtwteTEW_iNA+5Q-gNXdxg@mail.gmail.com>
	<1415638978.23992.4.camel@kuechenschabe>
Date: Thu, 13 Nov 2014 20:21:59 -0500
Message-ID: <CAH0thKBjR-6g0yrDtSORO9PszDnoMUJ2v5wUBxMh8iDdVYQ=Sw@mail.gmail.com>
To: =?UTF-8?Q?Johannes_Schl=C3=BCter?= <johannes@schlueters.de>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=20cf300e53299f477b0507c7749d
Subject: Re: [PHP-DEV] PDO mysql - add feature to enforce single statements?
From: peter.wolanin@acquia.com (Peter Wolanin)

--20cf300e53299f477b0507c7749d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I've added a pull request here with a proposal to add the attribute at
connection time: https://github.com/php/php-src/pull/896

I think given PHP users the option to do this is really critical for
securing against SQL injection, and giving more consistent behavior between
native and emulated prepares.

From my reading of the mysql API, enabling multi-query implicitly enables
multi results, but it's also possible to enable multi results separately,
and I've left it as is, explicitly enabled, in the patch.

Do you have an example of a stored procedure to test?

Thanks,

Peter

On Mon, Nov 10, 2014 at 12:02 PM, Johannes Schl=C3=BCter <johannes@schluete=
rs.de>
wrote:

> On Thu, 2014-11-06 at 19:52 -0500, Peter Wolanin wrote:
> > Suggested solution: add a PDO attribute that could be set on a
> > connection or a driver option for PDO::prepare to enforce the limit of
> > a single query being prepared or run.
>
> The issue is that disabling multi-query implicitly also disables support
> for stored procedures as the same flag configures handling of operations
> with multiple result sets. So this probably needs more thoughts
> especially in order to get "similar" behavior with different
> databases ... can you add a feature request in the bug tracker for this?
>
> johannes
>
>
>


--=20
Peter M. Wolanin, Ph.D.      : Momentum Specialist,  Acquia. Inc.
peter.wolanin@acquia.com : 781-313-8322

--20cf300e53299f477b0507c7749d--