|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #68254 PDO lacks design implication discussion
Submitted: 2014-10-17 15:01 UTC Modified: 2023-06-20 16:01 UTC
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: Assigned:
Status: Open Package: PDO related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2014-10-17 15:01 UTC]
It seems there is confusion around the PDO documentation with regards to "security" (see below internals ML posting). The PDO general documentation about prepared statements at likes to highlight advantages of prepared statements and the bind API offered by PDO. Neither are PS disadvantages discussed nor is there any hint about implications of the PDO design (when PS emulation happens). This bares the risk of giving a false feeling of security.

From - Fri Oct 17 15:12:46 2014
X-Account-Key: account6
X-UIDL: 0001de075098db15
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <>
X-policyd-weight: using cached result; rate:hard: -6.1
Received: from ( [])
	by (Postfix) with ESMTP id 3D4443121D46
	for <>; Fri, 17 Oct 2014 15:09:14 +0200 (CEST)
Received: from [] ([]
	by (ecelerity r(12769M)) with ESMTP
	id 99/F6-30834-7F411445 for <>; Fri, 17 Oct 2014 09:09:12 -0400
Received: (qmail 34839 invoked by uid 1010); 17 Oct 2014 13:09:08 -0000
Mailing-List: contact; run by ezmlm
Precedence: bulk
list-help: <>
list-unsubscribe: <>
list-post: <>
Delivered-To: mailing list
Received: (qmail 34831 invoked from network); 17 Oct 2014 13:09:08 -0000
Authentication-Results:; spf=permerror; sender-id=unknown
Authentication-Results:; sender-id=unknown
Received-SPF: error ( domain from cause and error)
X-Host-Fingerprint: Linux 2.6
Message-ID: <>
Date: Fri, 17 Oct 2014 14:09:03 +0100
From: Lester Caine <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PATCH - PR] Disable ATTR_EMULATE_PREPARES by default
 for PDO_Mysql
X-KasLoop: m026cece

On 17/10/14 13:20, Ulf Wendel wrote:
>> users know what they are getting and where the real security holes are.
> Hmm, maybe, you could make this world a better one by contributing to
> improve ?

PDO does not support management of SQL differences between databases.
This page is a good example of where users run into problems because
they have no idea if what they are copying actually works on their
particular database. Does MySQL need ATTR_EMULATE_PREPARES in order to
convert client side the SQL that it feeds over to the server? If I am
converting from one database to another just what is actually supported
and how?

I don't use PDO with Firebird if I can help it but I am having to work
with this where mysql hosting is the norm and PDO_mysql is an
alternative that gets provided instead of mysqli. *I* have trouble
sorting this stuff out so how do users who currently have working sites
cope when things under the hood change perhaps without them even knowing.

I can quite happily add notes as to what Firebird does with the various
abstractions on that page, but what about every other PDO driver. Which
emulate aspects of the prepares and which do it natively? Just what does
get emulated?

Lester Caine - G8HFL
Contact -
L.S.Caine Electronic Services -
EnquirySolve -
Model Engineers Digital Workshop -
Rainbow Digital Media -

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-28 12:47 UTC]
-Package: Documentation problem +Package: PDO related
 [2020-05-17 16:12 UTC]
-Assigned To: +Assigned To: tiffany
 [2023-06-20 16:01 UTC]
-Status: Assigned +Status: Open -Assigned To: tiffany +Assigned To:
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Mar 04 21:01:31 2024 UTC