11

PDO has the option PDO::ATTR_EMULATE_PREPARES which controls if prepared statements should be emulated only if not supported by the DB or always. However, it does not mention if it always emulates them by default or not.

Usually one would assume that emulation is only used if necessary but since it's PHP nothing can be assumed just because it's sane...

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
  • 2
    Can one tell me what does emulation mean? And how BAD it can be? – Shubham May 16 '12 at 11:04
  • 2
    There will be no error checking during the `->prepare()` call and PDO needs to escape your parameters instead of transmitting them separately to the database. It will also not profit from optimizations the database might be able to do when you prepare a statement and them execute it many times. – ThiefMaster May 16 '12 at 11:12
  • 1
    @Shubham In this case, it means using string escapes instead of actual prepared statements. Escaping [allows for SQL injection](https://stackoverflow.com/q/5741187/1394393), whereas prepared statements fully prevent it. – jpmc26 Sep 20 '19 at 04:12

1 Answers1

17

Depends on the database driver. They are always emulated by default for MySql (although of course you can turn the option off manually); in Postgres the proper default setting is detected dynamically.

Sergey Telshevsky
  • 12,077
  • 6
  • 55
  • 78
Jon
  • 428,835
  • 81
  • 738
  • 806
  • 1
    This is confusing. Your code reference says something different than the documentation: _PDO_MYSQL will take advantage of native prepared statement support present in MySQL 4.1 and higher. If you're using an older version of the mysql client libraries, PDO will emulate them for you._ (http://www.php.net/manual/en/ref.pdo-mysql.php) – CodeZombie May 16 '12 at 11:23
  • 3
    @ZombieHunter: If the code says something different than the documentation then obviously the documentation (or its interpretation) is wrong. In this specific case IMHO it should read "**can** take advantage". Docs are wrong all the time (PHP's more often than others, as is typical... *sigh*); I have lost count of how many times I discovered *outright lies* in the documentation myself. – Jon May 16 '12 at 11:25
  • 1
    I was aware that I can rather trust the code you referenced than the documentation but couldn't believe it. That's really a pain, you have to check everything in PHP before you trust it :-/ – CodeZombie May 16 '12 at 11:29
  • 1
    "*If the code says something different than the documentation then obviously the documentation (or its interpretation) is wrong*"—not necessarily: the code may be buggy. Generally speaking, I consider documentation to be a specification of correct behaviour; and any inconsistency with code to be an implementation error. – eggyal Jul 06 '16 at 09:35
  • There seem to be [numerous open bugs](https://bugs.php.net/search.php?cmd=display&search_for=ATTR_EMULATE_PREPARES&direction=DESC&limit=30&package_name[]=PDO+MySQL) for PDO MySQL related to using non emulated prepared statements. Maybe that's one reason why they are reluctant to turn it on by default. – mata Sep 20 '16 at 17:49
  • SQL Server seems to have it disabled by default. https://learn.microsoft.com/en-us/sql/connect/php/pdo-prepare?view=sql-server-2017 – mbomb007 Jul 16 '19 at 19:26