On 10/16/2014 09:10 AM, Ferenc Kovacs wrote: > I don't think we should remove the option, just change the defaults, and > most people would be fine switching back to the emulation, but it should > be their conscious decision imo. > Currently many people aren't aware that they are using client side > prepares, and they are pretty much ignore the fact, that they can be > exposed to sql injections (for example via using mismatching client and > server encodings or not properly quoting the > identifiers: http://www.codeyellow.nl/identifier-sqli.html because they > think that server side prepared statements would be immune to this kind > of problems).
I think you have the wrong idea here. That link you pointed to talks about SQLi in identifiers. Server-side prepares are just as vulnerable to this, so switching from client-side to server-side does nothing to make this safer. As far as a charset mismatch between the client and the server when it comes to preparing query values, PDO's implementation handles that. You need a connection handle to do a prepare so we know the charset and take that into account. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
