because of performance issue for MySQL and prepared statement. it is possible that the prepared statement are ( unfortunately ) emulated ( see PDO::setAttribute and PDO::prepare ) .
I would recommend setting PDO::ATTR_EMULATE_PREPARES to false as much as possible.
Based on what I have read, emulated prepares are as safe as native prepares if you use them correctly. Though turning them off is a safer choice from a configuration perspective because it forces SQL to do the work. Setting up PDO could be a topic of its own post.
I am not aware of the internal implementation, but I still feel that native prepared statement is way safer than emulated one ( as the only obvious implementation would rely on some form of input escaping, which is not always working as intended )
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
because of performance issue for MySQL and prepared statement. it is possible that the prepared statement are ( unfortunately ) emulated ( see PDO::setAttribute and PDO::prepare ) .
I would recommend setting
PDO::ATTR_EMULATE_PREPARES
tofalse
as much as possible.Based on what I have read, emulated prepares are as safe as native prepares if you use them correctly. Though turning them off is a safer choice from a configuration perspective because it forces SQL to do the work. Setting up PDO could be a topic of its own post.
I am not aware of the internal implementation, but I still feel that native prepared statement is way safer than emulated one ( as the only obvious implementation would rely on some form of input escaping, which is not always working as intended )