Discussion: consider disabling PDO emulated query parser by default #7146
Description
I've been linked to a quite interesting article regarding possible SQL injection when using PDO: https://slcyber.io/assetnote-security-research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements/. It describes a method that confuses the PDO emulated query parser into something that shouldn't happen with bound parameters, which in certain scenarios can be used to execute SQL injection.
This brings the question: why should we even want to use this emulation? From my understanding this is an artifact from the past, where the common consensus was that it would benefit performance as prepared statements would skip the query cache with older MySQL versions. But is that still relevant today?
Which is why I'd like to open a discussion: should dbal (or possibly orm) consider setting the PDO::ATTR_EMULATE_PREPARES to false by default?
Proof of concept with doctrine:
$address = $request->query->getString('q'); // http://somehost/some/page?q=?%00
dd($this
->getEntityManager()
->getConnection()
->executeStatement("SELECT * FROM address WHERE address1 LIKE '%$address%' AND city = ?", ['enschede'])
);Which throws SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens, which is solved by adding ->option(PDO::ATTR_EMULATE_PREPARES, false) to the dbal driver configuration.