Is PDO still emulating prepared statements for MySQL? This already answered in this but answer was given many years ago, its huge so here is a quote:
Now, it’s worth noting that you can prevent this by disabling emulated
prepared statements:$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
This will usually result in a true prepared statement (i.e. the data
being sent over in a separate packet from the query). However, be
aware that PDO will silently fallback to emulating statements that
MySQL can’t prepare natively: those that it can are listed in the
manual, but beware to select the appropriate server version).
I’m connect by
$conn = new PDO("mysql:dbname=$dbname;host=$dbhost;charset=utf8",$dbuser,$dbpasswd);
Is there a way to switch to mysqli? If so, will it use real prepares?
using two versions php 7.2.19 and php 5.6
$ mysql --version
mysql Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using EditLine wrapper
2
Answers
From my understanding of the documentation it seems that PDO will always try to use native prepared statements, unless the drivers don’t support them, or if you explicitly state you want it by using ATTR_EMULATE_PREPARES
Docs:
Also:
The answer you are referring to is more like a scary tale than a real help. If you read the fine print at the bottom, it says that with actual software versions you are all right (actual means released past 2010).
So you can tell that security-wise there is no difference whether prepared statements are emulated or not. Hence, the answer to your question is not that important.
Besides, you incorrectly understood a certain statement from it.
It doesn’t mean then mysql doesn’t support native prepared statements at all. It means that only for some certain kinds of queries mysql does not support prepared statements. For such queries you don’t have too much a choice, so it doesn’t really matter again.
To make it clear
To sum it up:
For convenience sake, disable the emulation as a connection option. Means you have to change your current single-line connection to a full-blown PDO connection script which I suggest as a canonical example and then just move on.