Native prepared statements will completely protect you from injection via any of the bound parameters. The wire-level passage of the data is completely different (and the data is sent by length, rather than by deliminator). As an exercise, view the traffic that's sent to the server via Wireshark... As such, they are not subject to proper escaping by character set.
On Sat, Apr 30, 2011 at 3:01 PM, Rasmus Lerdorf <ras...@lerdorf.com> wrote: > On 04/30/2011 11:59 AM, Anthony Ferrara wrote: >> >> I'm not arguing if there weren't reasons for implementing it this way. >> I am arguing if they are good enough reasons to justify the security >> impact. It's not my decision (and I respect that), but I would stress >> that what PDO is doing is not prepared statements or even >> parameterized queries, and as such does not have the same benefits of >> using true prepared statements (and perhaps the documentation needs to >> be updated to reflect that). > > How is native prepared statements any more secure than emulated ones? > Neither will completely protect you against SQLi. > > -Rasmus > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
