Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:78907
Return-Path: <peter.wolanin@acquia.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39033 invoked from network); 14 Nov 2014 15:04:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Nov 2014 15:04:56 -0000
Authentication-Results: pb1.pair.com header.from=peter.wolanin@acquia.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=peter.wolanin@acquia.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain acquia.com designates 64.18.2.155 as permitted sender)
X-PHP-List-Original-Sender: peter.wolanin@acquia.com
X-Host-Fingerprint: 64.18.2.155 exprod7og101.obsmtp.com Linux 2.5 (sometimes 2.4) (4)
Received: from [64.18.2.155] ([64.18.2.155:42211] helo=mail-ie0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CB/20-36847-61A16645 for <internals@lists.php.net>; Fri, 14 Nov 2014 10:04:55 -0500
Received: from mail-ie0-f172.google.com ([209.85.223.172]) (using TLSv1) by exprod7ob101.postini.com ([64.18.6.12]) with SMTP
	ID DSNKVGYaEhz2Ab3Q6DT7MoxUBb6PAmrcAgNA@postini.com; Fri, 14 Nov 2014 07:04:54 PST
Received: by mail-ie0-f172.google.com with SMTP id ar1so3308265iec.31
        for <internals@lists.php.net>; Fri, 14 Nov 2014 07:04:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=aNOr8H1AtQGB/E30JpERpjqFT8IR8VtR5Wki4HxiFDs=;
        b=FLqNHU5wZze4qjOQZbYa1uraaIwjKmSTAGE4z/3m/BAEEIadB31svcGky9cER4sJeI
         A+ghk/I9SwUzSMMnHnjHTwzznpJHO741eyo+8ddtEgCelSLNk8Kqy47rnr6qTU7rowyt
         PTfCqtiiWeuaUIEOHLBAAalkg5GNeWC/VuK/FKzVcWC0lGDbXXYSRTRilJia+dLHPex1
         R1TtwtAlqITJo018fmsodud6dN7hhRD/0dYoxYSoYGdFHmXv1UDHlK/IvCzJ9tF4+Xo8
         W74+79ouSiLI8lxyplGxVb6jzbpZMEHhq4BFi8jijPoFIl8T0g22g9nc0SQ5KCdXqXhf
         dQKQ==
X-Gm-Message-State: ALoCoQn4NrCkvkELSlmGpMiFfNnfz++82gkg96Xdtfd+Bf9GAiiU/O8+/qN5C7Nq7/JcM3Q/zkqdzDmezUayOiPiMLmyWr5PFEJKvHOU1V8JjgxqY4x5PCyhfXnfGkyYsINnrewDjdz13POw7j6DfTeNmqoUVI/sLA==
X-Received: by 10.42.177.9 with SMTP id bg9mr1878117icb.81.1415977490551;
        Fri, 14 Nov 2014 07:04:50 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.42.177.9 with SMTP id bg9mr1878091icb.81.1415977490262; Fri,
 14 Nov 2014 07:04:50 -0800 (PST)
Received: by 10.42.107.80 with HTTP; Fri, 14 Nov 2014 07:04:50 -0800 (PST)
In-Reply-To: <CAH0thKBjR-6g0yrDtSORO9PszDnoMUJ2v5wUBxMh8iDdVYQ=Sw@mail.gmail.com>
References: <CAH0thKDOOV0DT5=DJRmoePXOtJhzJtwteTEW_iNA+5Q-gNXdxg@mail.gmail.com>
	<1415638978.23992.4.camel@kuechenschabe>
	<CAH0thKBjR-6g0yrDtSORO9PszDnoMUJ2v5wUBxMh8iDdVYQ=Sw@mail.gmail.com>
Date: Fri, 14 Nov 2014 10:04:50 -0500
Message-ID: <CAH0thKBHf1=XiHs20_1az2uaJ1=0AnWpC7unvAKYL1EK4shx3w@mail.gmail.com>
To: =?UTF-8?Q?Johannes_Schl=C3=BCter?= <johannes@schlueters.de>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=90e6ba61389a5168090507d2f332
Subject: Re: [PHP-DEV] PDO mysql - add feature to enforce single statements?
From: peter.wolanin@acquia.com (Peter Wolanin)

--90e6ba61389a5168090507d2f332
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Added as a feature request also:  https://bugs.php.net/bug.php?id=3D68424

I'm a little unclear about the preferred workflow for using pull requests
vs. bugs.php.net - it seems liek most everything released ends up referring
to an issue on bugs.php.net?

-Peter

On Thu, Nov 13, 2014 at 8:21 PM, Peter Wolanin <peter.wolanin@acquia.com>
wrote:

> I've added a pull request here with a proposal to add the attribute at
> connection time: https://github.com/php/php-src/pull/896
>
> I think given PHP users the option to do this is really critical for
> securing against SQL injection, and giving more consistent behavior betwe=
en
> native and emulated prepares.
>
> From my reading of the mysql API, enabling multi-query implicitly enables
> multi results, but it's also possible to enable multi results separately,
> and I've left it as is, explicitly enabled, in the patch.
>
> Do you have an example of a stored procedure to test?
>
> Thanks,
>
> Peter
>
> On Mon, Nov 10, 2014 at 12:02 PM, Johannes Schl=C3=BCter <
> johannes@schlueters.de> wrote:
>
>> On Thu, 2014-11-06 at 19:52 -0500, Peter Wolanin wrote:
>> > Suggested solution: add a PDO attribute that could be set on a
>> > connection or a driver option for PDO::prepare to enforce the limit of
>> > a single query being prepared or run.
>>
>> The issue is that disabling multi-query implicitly also disables support
>> for stored procedures as the same flag configures handling of operations
>> with multiple result sets. So this probably needs more thoughts
>> especially in order to get "similar" behavior with different
>> databases ... can you add a feature request in the bug tracker for this?
>>
>> johannes
>>
>>
>>
>
>
> --
> Peter M. Wolanin, Ph.D.      : Momentum Specialist,  Acquia. Inc.
> peter.wolanin@acquia.com : 781-313-8322
>



--=20
Peter M. Wolanin, Ph.D.      : Momentum Specialist,  Acquia. Inc.
peter.wolanin@acquia.com : 781-313-8322

--90e6ba61389a5168090507d2f332--