On 17/10/14 11:17, Ulf Wendel wrote: > Am 17.10.2014 um 11:51 schrieb Lester Caine: >> On 16/10/14 18:59, christopher jones wrote: > >> Ulf stated early on in this thread re MySQL >>> - statement and parameter are send to the server independently >>> - the server builds the final statement string >> >> Is this ACTUALLY how it works? Since other engines prepare the statement > > I thought this was a mailing list about PHP. I even believed from the > headline the question would be whether PHP users of MySQL would like to > change an API default setting. But no, its about explaining the MySQL > source code to Firebird lovers.
Since it is the object of PDO to create a level playing field then just how each engine handles the process is what is important so that PHP users know what they are getting and where the real security holes are. ATTR_EMULATE_PREPARES may well be a potential security hole and having to live with sites that have adopted PDO_Mysql I'd like to understand just what the process between PDO and MySQL is so I know if I have to worry or not. Yes it may affect if I take the time to switch those sites from MySQL, and maintaining them is complicated by the level of 'attack' instigated trying to find the weaknesses, so if you switch this off do I need simply to switch it back on, or take other action. -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
