Problem: With PDO the mysql driver emulated allows multiple queries, where non-emulated does not. This makes SQL injections with PDO mysql potentially much more damaging.
Suggested solution: add a PDO attribute that could be set on a connection or a driver option for PDO::prepare to enforce the limit of a single query being prepared or run. Happy to open a bug report/feature request, but looking for feedback first. More background: The Drupal project recently had a serious SQL injection vulnerability uncovered: https://www.drupal.org/SA-CORE-2014-005 A technical discussion of it: http://blog.ircmaxell.com/2014/10/a-lesson-in-security.html To be brief, from Drupal 6.x to Drupal 7.x, we converted from wrappers on mysqli_query and pg_query to a database layer that extends from PDO. The most common setup is using PDO mysql and emulated prepared statements. This turns out to have made the potential damage to Drupal 7 much greater when an SQL injection is discovered since the emulated prepare allows multiple SQL statements, hence a single SELECT can be modified to a SELECT followed by one or more INSERT or UPDATE statements. mysqli only supports a single statement. Since this situation probably affects many web applications using PDO, I'd like to see if a new PDO attribute could be added which would e.g. cause the driver to throw an exception if multiple statements were sent at once. Ideally, this could be backported to current releases. -Peter Wolanin -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
