On Sat, Apr 30, 2011 at 9:01 PM, Rasmus Lerdorf <ras...@lerdorf.com> wrote:
> On 04/30/2011 11:59 AM, Anthony Ferrara wrote: > >> I'm not arguing if there weren't reasons for implementing it this way. >> I am arguing if they are good enough reasons to justify the security >> impact. It's not my decision (and I respect that), but I would stress >> that what PDO is doing is not prepared statements or even >> parameterized queries, and as such does not have the same benefits of >> using true prepared statements (and perhaps the documentation needs to >> be updated to reflect that). >> > > How is native prepared statements any more secure than emulated ones? > Neither will completely protect you against SQLi. > > -Rasmus > > real prepared statements push the parameter binding to the server, so you have only one component where things could go wrong, with emulated prepared statements you can be screwed both via the php parameter binding or when the query is executed on the server (for example via the misunderstanding in the encoding by the php lib and the mysql server) Tyrael
