Can PHP PDO be limited to a single request?

Question

Can PHP PDO be limited to a single request?

PHP PDO allows you to run multiple queries simultaneously, either using the query () method, or as a prepared statement. Both of the following examples work:

// Two SQL queries $query = "SELECT * FROM table; DROP table;" // Execute via query() $pdo->query($query); // Execute via prepared statement $stmt = $pdo->prepare($query); $stmt->execute();

Is there a way to limit the PDO for one query at a time, like the mysql_query () function?

+5

php mysql sql-injection pdo

Ben dowling May 10 '10 at 11:44

source share

2 answers

Mmm, there is a way to achieve this by disabling the emulation of prepared statements in PDO, to use the mysql native API instead (the multiprocessor is not supported in server-side prepared statements):

 $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

However, one of the drawbacks of this option is that the query cache is lost.

+6

nuqqsa May 10 '10 at 12:46

source share

tpunt · Accepted Answer · 2015-08-02T11:34:28+0000

This is a more modern answer to this question.

The old way to prevent multiple queries from executing was to disable emulated prepares, however this only applies to the PDO::prepare() method. In newer versions of PHP (> = 5.5.21 and> = 5.6.5), a new constant has been introduced to disable this multi-process execution in both PDO::prepare() and PDO::query() . (Constants are not usually added in patch versions, but this was done due to the severity of the Drupal SQL injection attack caused by this feature).

The new constant PDO::MYSQL_ATTR_MULTI_STATEMENTS should be set when creating the object (as the fourth argument to the PDO constructor) - setting it to an existing object using PDO::setAttribute() will not work.

 $pdo = new PDO('mysql:host=_;dbname=_', '', '', [PDO::MYSQL_ATTR_MULTI_STATEMENTS => false]);

Can PHP PDO be limited to a single request?

More articles: