Is PDO still emulating prepared statements for MySQL?

1
votes

Is PDO still emulating prepared statements for MySQL? This already answered in this but answer was given many years ago, its huge so here is a quote:

Now, it's worth noting that you can prevent this by disabling emulated prepared statements:

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

This will usually result in a true prepared statement (i.e. the data being sent over in a separate packet from the query). However, be aware that PDO will silently fallback to emulating statements that MySQL can't prepare natively: those that it can are listed in the manual, but beware to select the appropriate server version).

I'm connect by 

$conn = new PDO("mysql:dbname=$dbname;host=$dbhost;charset=utf8",$dbuser,$dbpasswd);

Is there a way to switch to mysqli? If so, will it use real prepares?

using two versions php 7.2.19 and php 5.6
$ mysql --version
mysql  Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using  EditLine wrapper
2
phpmysqlpdo
“s there a way to switch to mysqli?” - if you are asking, if one can rewrite code to use MySQLi instead of PDO, then the answer would be yes …04FS
Why don't you just disable the emulation, like it said in the citation?Your Common Sense
@YourCommonSense because disabling emulation fallback to emulation when using mysqlLeonidMew

2 Answers

2
votes

The answer you are referring to is more like a scary tale than a real help. If you read the fine print at the bottom, it says that with actual software versions you are all right (actual means released past 2010).

So you can tell that security-wise there is no difference whether prepared statements are emulated or not. Hence, the answer to your question is not that important.

Besides, you incorrectly understood a certain statement from it.

However, be aware that PDO will silently fallback to emulating statements that MySQL can't prepare natively

It doesn't mean then mysql doesn't support native prepared statements at all. It means that only for some certain kinds of queries mysql does not support prepared statements. For such queries you don't have too much a choice, so it doesn't really matter again.

To make it clear

  • PDO does still emulate prepared statements for MySQL by default, when no option is set.
  • For the most used query types such as SELECT, INSERT, UPDATE and such, PDO does not emulate prepared statements for MySQL if explicitly told to use native statements. by the way, the list of supported statements is quite inclusive
  • as this behavior is decided on the server side, changing PHP API from PDO to mysqli won't help.
  • for some rarely used query types it may silently fallback to emulating statements but it is neither a security concern nor you have a choice anyway.

To sum it up:

For convenience sake, disable the emulation as a connection option. Means you have to change your current single-line connection to a full-blown PDO connection script which I suggest as a canonical example and then just move on.

0
votes

From my understanding of the documentation it seems that PDO will always try to use native prepared statements, unless the drivers don't support them, or if you explicitly state you want it by using ATTR_EMULATE_PREPARES

Docs:

Prepared statements are so useful that they are the only feature that PDO will emulate for drivers that don't support them. This ensures that an application will be able to use the same data access paradigm regardless of the capabilities of the database.

Also:

PDO::ATTR_EMULATE_PREPARES Enables or disables emulation of prepared statements. Some drivers do not support native prepared statements or have limited support for them. Use this setting to force PDO to either always emulate prepared statements (if TRUE and emulated prepares are supported by the driver), or to try to use native prepared statements (if FALSE). It will always fall back to emulating the prepared statement if the driver cannot successfully prepare the current query.