On 04/30/2011 12:05 PM, Anthony Ferrara wrote:
Native prepared statements will completely protect you from injection via any of the bound parameters. The wire-level passage of the data is completely different (and the data is sent by length, rather than by deliminator). As an exercise, view the traffic that's sent to the server via Wireshark... As such, they are not subject to proper escaping by character set.
As long as PDO and MySQL agree on which character set is in use bound parameters are safe in emulated prepares as well.
-Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
