Prepared statements are a feature of the low-level database driver. The database first accepts the query structure and receives the variable parameters separately. Again, this is a feature actually supported by the database itself.
"Emulated prepares" means that you use the same API on the PHP side, with separate calls to prepare() and bind / execute , but that the PDO driver simply internally escapes and concatenates the rows, sends the old long SQL string to the database. The database cannot use its built-in parameterized query function.
Transforming emulated prepares PDO commands for using the built-in parameterized database query function. You should only enable / disable emulated provisioning if your database (-driver) does not support built-in parameterized queries. Emulated ones are prepared only to support the old database (-drivers), it does not change how you link the parameters in your PHP code.
Emulated drugs can reveal security flaws in certain circumstances, as well as all client-side outputs and concatenation. If the query and the data remain separated down to the database, these flaws are impossible.
deceze
source share