On Wed, 2012-04-11 at 19:44 +0100, Lester Caine wrote:
> Anthony Ferrara wrote:
> > Even with PDO and older versions of MySQL, you could inject into
> > prepared statements quite easily (assuming charset settings):
> >
> > $var = '1' . chr(0xbf) . chr(0x27) . ' OR 1=1';
> >
> > $pdo = new PDO('mysql:...');
> > $pdo->query('SET NAMES GBK');
> > $stmt = $pdo->prepare('SELECT * FROM foo WHERE 2 = ?');
> > $stmt->bindParam(1, $var);
> > $stmt->execute();
> >
> > Without setting $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, 0)
> > first, that will successfully inject into the query thanks to how PDO
> > emulates prepares.
> >
> > A problem that true prepared statements (MySQLi and if PDO has emulate
> > prepares off) is immune to...
>
> Try doing that with a real database ;)
If PDO decided to use emulation by default (which has benefits like
fewer roundtrips etc.) it's not necessarily the issue from the database.
And that this doesn't work is obvious with emulation - PDO doesn't parse
the SQL and has no understanding of "SET NAMES", neither does the MySQL
client lib used. The proper way to set the encoding is by using the
DSN's charset option.
johannes