On 04/30/2011 11:59 AM, Anthony Ferrara wrote:
I'm not arguing if there weren't reasons for implementing it this way. I am arguing if they are good enough reasons to justify the security impact. It's not my decision (and I respect that), but I would stress that what PDO is doing is not prepared statements or even parameterized queries, and as such does not have the same benefits of using true prepared statements (and perhaps the documentation needs to be updated to reflect that).
How is native prepared statements any more secure than emulated ones? Neither will completely protect you against SQLi.
-Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
