PGSQL driver support prepared statement?

2018-07-03 16:02:47

I am using PosgreSQL and PDO on my projects. As is said here How can prepared statements protect from SQL injection attacks? by default PDO does not use prepared statements for database drivers which does not support it. Does the PosgreSQL database driver (PDO_PGSQL) support prepared statement? Thanks.

PDO does not use native prepared statements by default, meaning it's emulating prepared statements internally instead of using the actually existing database API. You turn that behaviour off by setting the PDO::ATTR_EMULATE_PREPARES to false .

PDO::ATTR_EMULATE_PREPARES Enables or disables emulation of prepared statements. Some drivers do not support native prepared statements or have limited support for them. Use this setting to force PDO to either always emulate prepared statements (if TRUE ), or to try to use native prepared statements (if FALSE ). It will always fall back to emulating the prepared statement if the driver cannot successfully prepare the current query.

http://www.php.net/manual/en/pdo.setattribute.php

That just to (hopefully) clarify your statement.

PDO_PGSQL does support native prepared statements since 0.9, which was released almost 10 years ago.

The short version is that for the purpose of protecting against SQL injection it doesn't matter.

Properly implemented and consistent parameter escaping in the database driver is sufficient to offer the same level of SQL injection protection as use of server side paramaterised statements.

It'd be nice if PDO used PostgreSQL's bind-parse-execute protocol to let the server handle parameterised statements, but it's far from vital to do so.

The purpose of advising people to use parameterised statements (often inaccurately called "prepared statements") is to make sure they're consistent with how they construct statements. If all escaping goes through a single entrypoint with a properly written framework and you follow strict rules about using that framework then you're much less likely to leave accidental SQL injection holes.

You actually want PDO to do its parameterised statement emulation for non-DML/SELECT statements, because PostgreSQL's wire protocol doesn't support parameter binding for DDL.

链接地址: http://www.djcxy.com/p/93798.html