PHP Versions Question posted in
You can find a list of all versions here.

Php versions – Is PDO still emulating prepared statements for MySQL?

Is PDO still emulating prepared statements for MySQL? This already answered in this but answer was given many years ago, its huge so here is a quote:

Now, it’s worth noting that you can prevent this by disabling emulated
prepared statements:

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

This will usually result in a true prepared statement (i.e. the data
being sent over in a separate packet from the query). However, be
aware that PDO will silently fallback to emulating statements that
MySQL can’t prepare natively: those that it can are listed in the
manual, but beware to select the appropriate server version).

I’m connect by 

$conn = new PDO("mysql:dbname=$dbname;host=$dbhost;charset=utf8",$dbuser,$dbpasswd);

Is there a way to switch to mysqli? If so, will it use real prepares?

using two versions php 7.2.19 and php 5.6
$ mysql --version
mysql  Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using  EditLine wrapper
Tags:

2

Answers


  1. 0

    From my understanding of the documentation it seems that PDO will always try to use native prepared statements, unless the drivers don’t support them, or if you explicitly state you want it by using ATTR_EMULATE_PREPARES

    Docs:

    Prepared statements are so useful that they are the only feature that
    PDO will emulate for drivers that don’t support them. This ensures
    that an application will be able to use the same data access paradigm
    regardless of the capabilities of the database.

    Also:

    PDO::ATTR_EMULATE_PREPARES Enables or disables emulation of prepared
    statements. Some drivers do not support native prepared statements or
    have limited support for them. Use this setting to force PDO to either
    always emulate prepared statements (if TRUE and emulated prepares are
    supported by the driver), or to try to use native prepared statements
    (if FALSE). It will always fall back to emulating the prepared
    statement if the driver cannot successfully prepare the current query.

    Login or Signup to reply.
  2. 0

    The answer you are referring to is more like a scary tale than a real help. If you read the fine print at the bottom, it says that with actual software versions you are all right (actual means released past 2010).

    So you can tell that security-wise there is no difference whether prepared statements are emulated or not. Hence, the answer to your question is not that important.

    Besides, you incorrectly understood a certain statement from it.

    However, be aware that PDO will silently fallback to emulating statements that MySQL can’t prepare natively

    It doesn’t mean then mysql doesn’t support native prepared statements at all. It means that only for some certain kinds of queries mysql does not support prepared statements. For such queries you don’t have too much a choice, so it doesn’t really matter again.

    To make it clear

    • PDO does still emulate prepared statements for MySQL by default, when no option is set.
    • For the most used query types such as SELECT, INSERT, UPDATE and such, PDO does not emulate prepared statements for MySQL if explicitly told to use native statements. by the way, the list of supported statements is quite inclusive
    • as this behavior is decided on the server side, changing PHP API from PDO to mysqli won’t help.
    • for some rarely used query types it may silently fallback to emulating statements but it is neither a security concern nor you have a choice anyway.

    To sum it up:

    For convenience sake, disable the emulation as a connection option. Means you have to change your current single-line connection to a full-blown PDO connection script which I suggest as a canonical example and then just move on.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search