To answer your concerns:
-
MySQL >= 5.1.17 (or >= 5.1.21 for the
PREPARE
andEXECUTE
statements) can use prepared statements in the query cache. So your version of MySQL+PHP can use prepared statements with the query cache. However, make careful note of the caveats for caching query results in the MySQL documentation. There are many kinds of queries which cannot be cached or which are useless even though they are cached. In my experience the query cache isn’t often a very big win anyway. Queries and schemas need special construction to make maximum use of the cache. Often application-level caching ends up being necessary anyway in the long run. -
Native prepares doesn’t make any difference for security. The pseudo-prepared statements will still escape query parameter values, it will just be done in the PDO library with strings instead of on the MySQL server using the binary protocol. In other words, the same PDO code will be equally vulnerable (or not-vulnerable) to injection attacks regardless of your
EMULATE_PREPARES
setting. The only difference is where the parameter replacement occurs–withEMULATE_PREPARES
, it occurs in the PDO library; withoutEMULATE_PREPARES
, it occurs on the MySQL server. -
Without
EMULATE_PREPARES
you may get syntax errors at prepare-time rather than at execute-time; withEMULATE_PREPARES
you will only get syntax errors at execution time because PDO doesn’t have a query to give to MySQL until execution time. Note that this affects the code you will write! Especially if you are usingPDO::ERRMODE_EXCEPTION
!
An additional consideration:
- There is a fixed cost for a
prepare()
(using native prepared statements), so aprepare();execute()
with native prepared statements may be a little slower than issuing a plain textual query using emulated prepared statements. On many database systems the query plan for aprepare()
is cached as well and may be shared with multiple connections, but I don’t think MySQL does this. So if you do not reuse your prepared statement object for multiple queries your overall execution may be slower.
As a final recommendation, I think with older versions of MySQL+PHP, you should emulate prepared statements, but with your very recent versions you should turn emulation off.
After writing a few apps that use PDO, I’ve made a PDO connection function which has what I think are the best settings. You should probably use something like this or tweak to your preferred settings:
/**
* Return PDO handle for a MySQL connection using supplied settings
*
* Tries to do the right thing with different php and mysql versions.
*
* @param array $settings with keys: host, port, unix_socket, dbname, charset, user, pass. Some may be omitted or NULL.
* @return PDO
* @author Francis Avila
*/
function connect_PDO($settings)
{
$emulate_prepares_below_version = '5.1.17';
$dsndefaults = array_fill_keys(array('host', 'port', 'unix_socket', 'dbname', 'charset'), null);
$dsnarr = array_intersect_key($settings, $dsndefaults);
$dsnarr += $dsndefaults;
// connection options I like
$options = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
// connection charset handling for old php versions
if ($dsnarr['charset'] and version_compare(PHP_VERSION, '5.3.6', '<')) {
$options[PDO::MYSQL_ATTR_INIT_COMMAND] = 'SET NAMES '.$dsnarr['charset'];
}
$dsnpairs = array();
foreach ($dsnarr as $k => $v) {
if ($v===null) continue;
$dsnpairs[] = "{$k}={$v}";
}
$dsn = 'mysql:'.implode(';', $dsnpairs);
$dbh = new PDO($dsn, $settings['user'], $settings['pass'], $options);
// Set prepared statement emulation depending on server version
$serverversion = $dbh->getAttribute(PDO::ATTR_SERVER_VERSION);
$emulate_prepares = (version_compare($serverversion, $emulate_prepares_below_version, '<'));
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, $emulate_prepares);
return $dbh;
}