|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #68254 PDO lacks design implication discussion
Submitted: 2014-10-17 15:01 UTC Modified: 2023-06-20 16:01 UTC
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: Assigned:
Status: Open Package: PDO related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-10-17 15:01 UTC]
It seems there is confusion around the PDO documentation with regards to "security" (see below internals ML posting). The PDO general documentation about prepared statements at likes to highlight advantages of prepared statements and the bind API offered by PDO. Neither are PS disadvantages discussed nor is there any hint about implications of the PDO design (when PS emulation happens). This bares the risk of giving a false feeling of security.

From - Fri Oct 17 15:12:46 2014
X-Account-Key: account6
X-UIDL: 0001de075098db15
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <>
X-policyd-weight: using cached result; rate:hard: -6.1
Received: from ( [])
	by (Postfix) with ESMTP id 3D4443121D46
	for <>; Fri, 17 Oct 2014 15:09:14 +0200 (CEST)
Received: from [] ([]
	by (ecelerity r(12769M)) with ESMTP
	id 99/F6-30834-7F411445 for <>; Fri, 17 Oct 2014 09:09:12 -0400
Received: (qmail 34839 invoked by uid 1010); 17 Oct 2014 13:09:08 -0000
Mailing-List: contact; run by ezmlm
Precedence: bulk
list-help: <>
list-unsubscribe: <>
list-post: <>
Delivered-To: mailing list
Received: (qmail 34831 invoked from network); 17 Oct 2014 13:09:08 -0000
Authentication-Results:; spf=permerror; sender-id=unknown
Authentication-Results:; sender-id=unknown
Received-SPF: error ( domain from cause and error)
X-Host-Fingerprint: Linux 2.6
Message-ID: <>
Date: Fri, 17 Oct 2014 14:09:03 +0100
From: Lester Caine <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default
 for PDO_Mysql
X-KasLoop: m026cece

On 17/10/14 13:20, Ulf Wendel wrote:
>> users know what they are getting and where the real security holes are.
> Hmm, maybe, you could make this world a better one by contributing to
> improve ?

PDO does not support management of SQL differences between databases.
This page is a good example of where users run into problems because
they have no idea if what they are copying actually works on their
particular database. Does MySQL need ATTR_EMULATE_PREPARES in order to
convert client side the SQL that it feeds over to the server? If I am
converting from one database to another just what is actually supported
and how?

I don't use PDO with Firebird if I can help it but I am having to work
with this where mysql hosting is the norm and PDO_mysql is an
alternative that gets provided instead of mysqli. *I* have trouble
sorting this stuff out so how do users who currently have working sites
cope when things under the hood change perhaps without them even knowing.

I can quite happily add notes as to what Firebird does with the various
abstractions on that page, but what about every other PDO driver. Which
emulate aspects of the prepares and which do it natively? Just what does
get emulated?

Lester Caine - G8HFL
Contact -
L.S.Caine Electronic Services -
EnquirySolve -
Model Engineers Digital Workshop -
Rainbow Digital Media -

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-28 12:47 UTC]
-Package: Documentation problem +Package: PDO related
 [2020-05-17 16:12 UTC]
-Assigned To: +Assigned To: tiffany
 [2023-06-20 16:01 UTC]
-Status: Assigned +Status: Open -Assigned To: tiffany +Assigned To:
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Feb 28 03:01:28 2024 UTC