Re: [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default for PDO_Mysql

From:	Christopher Jones	Date:	Tue, 19 Jun 2012 21:45:37 +0000
Subject:	Re: [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default for PDO_Mysql
References:	1 2 3 4	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 06/16/2012 12:19 AM, Ulf Wendel wrote:
Am 15.06.2012 18:28, schrieb Christopher Jones:

On 06/15/2012 08:34 AM, Ulf Wendel wrote:
As long as client-side escaping is done properly, there is no
practical difference between the [client vs server -prepare]
approaches.

The big problem with this line of reasoning is that the client must
know exactly the same dialect of SQL/XQUERY/whatever that the server
does. Since we can't predict the future, and so a new DB might

Plain wrong. If client does not mess up on type and charsets there is no practical difference between the security of properly done client side escaping and server-side escaping. No matter if the subject of escaping is a fairy tale on goofy or any other
string that happens to look like any other human invented format, e.g. SQL.

Ulf


We should take this offline - I can see cases where I'd strongly disagree.

Chris

-- 
[email protected]
http://twitter.com/#!/ghrd


   

Thread (40 messages)

• Anthony FerraraFri, 15 Jun 2012 01:01:29 +0000
  • Ulf WendelFri, 15 Jun 2012 15:34:28 +0000
    • Christopher JonesFri, 15 Jun 2012 16:28:50 +0000
      • Anthony FerraraFri, 15 Jun 2012 16:36:07 +0000
        • Christopher JonesFri, 15 Jun 2012 16:53:21 +0000
        • Ulf WendelFri, 15 Jun 2012 17:03:57 +0000
          • Anthony FerraraFri, 15 Jun 2012 17:31:59 +0000
            • Ulf WendelFri, 15 Jun 2012 17:55:50 +0000
              • Anthony FerraraFri, 15 Jun 2012 19:15:57 +0000
                • Ulf WendelFri, 15 Jun 2012 19:56:25 +0000
      • Ulf WendelSat, 16 Jun 2012 07:19:50 +0000
        • Christopher JonesTue, 19 Jun 2012 21:45:37 +0000
          • Pierre JoyeWed, 20 Jun 2012 06:39:45 +0000
            • Ulf WendelThu, 21 Jun 2012 06:57:27 +0000
              • Anthony FerraraFri, 22 Jun 2012 02:19:11 +0000
                • Anthony FerraraFri, 22 Jun 2012 02:35:11 +0000
                  • Johannes SchlüterFri, 22 Jun 2012 10:25:07 +0000
  • Yasuo OhgakiWed, 20 Jun 2012 03:16:24 +0000
    • Yasuo OhgakiThu, 28 Jun 2012 03:45:17 +0000
      • Rasmus LerdorfThu, 28 Jun 2012 03:50:02 +0000
        • Yasuo OhgakiThu, 28 Jun 2012 09:55:10 +0000
  • Ferenc KovacsThu, 16 Oct 2014 11:27:08 +0000
    • Rasmus LerdorfThu, 16 Oct 2014 15:47:15 +0000
      • Ferenc KovacsThu, 16 Oct 2014 16:10:34 +0000
        • Olivier BonvaletThu, 16 Oct 2014 17:39:57 +0000
          • Rowan CollinsThu, 16 Oct 2014 22:59:22 +0000
        • Rasmus LerdorfFri, 17 Oct 2014 04:51:18 +0000
          • Ferenc KovacsFri, 17 Oct 2014 06:59:51 +0000
        • Matteo BeccatiMon, 03 Nov 2014 09:18:08 +0000
          • Rowan CollinsMon, 03 Nov 2014 11:40:06 +0000
            • Matteo BeccatiMon, 03 Nov 2014 11:55:52 +0000
              • Matteo BeccatiMon, 03 Nov 2014 12:02:18 +0000
      • christopher jonesThu, 16 Oct 2014 17:59:01 +0000
        • Lester CaineFri, 17 Oct 2014 09:51:18 +0000
          • Ulf WendelFri, 17 Oct 2014 10:17:40 +0000
            • Lester CaineFri, 17 Oct 2014 11:47:05 +0000
              • Ulf WendelFri, 17 Oct 2014 12:20:00 +0000
                • Lester CaineFri, 17 Oct 2014 13:09:03 +0000
                  • Ulf WendelFri, 17 Oct 2014 15:01:44 +0000