Good morning, On Mon, Jul 19, 2021 at 9:11 AM Jordan LeDoux <jordan.led...@gmail.com> wrote: > > > Are there documented SQL injection opportunities when using emulated > prepares? I'm not aware of any. > > This was from my reading of the actual source, which of course may be > flawed. It appeared that if emulated prepares were used the values were > escaped and then passed as strings as part of the query, the same as if it > had been concatenated and wrapped in real_escape_string. I hadn't gone too > far in actually debugging it yet to find out how it behaved under different > circumstances as I was still trying to figure out how "small" of a change > this was from the perspective of internals.
I also don't think there is any left over possible SQL injection in any of the core DB extensions (PDO or 'native'). It will indeed do not prevent inserting invalid data but if there were any actual SQL injection left, I am very confident we would have known it by now. :) -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
