diff options
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/adodb-mysqli.inc.php | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/drivers/adodb-mysqli.inc.php b/drivers/adodb-mysqli.inc.php index 95c0c8f9..1c2b71ea 100644 --- a/drivers/adodb-mysqli.inc.php +++ b/drivers/adodb-mysqli.inc.php @@ -75,6 +75,25 @@ class ADODB_mysqli extends ADOConnection { var $ssl_capath = null; var $ssl_cipher = null; + /** + * Forcing emulated prepared statements. + * + * When set to true, ADODb will not execute queries using MySQLi native + * bound variables, and will instead use the built-in string interpolation + * and argument quoting from the parent class {@see ADOConnection::Execute()}. + * + * This is needed for some database engines that use mysql wire-protocol but + * do not support prepared statements, like + * {@see https://manticoresearch.com/ Manticore Search} or + * {@see https://clickhouse.com/ ClickHouse}. + * + * WARNING: This is a potential security risk, and strongly discouraged for code + * handling untrusted input {@see https://github.com/ADOdb/ADOdb/issues/1028#issuecomment-2081586024}. + * + * @var bool $doNotUseBoundVariables + */ + var $doNotUseBoundVariables = false; + /** @var mysqli Identifier for the native database connection */ var $_connectionID = false; @@ -1105,6 +1124,10 @@ class ADODB_mysqli extends ADOConnection { public function execute($sql, $inputarr = false) { + if ($this->doNotUseBoundVariables) { + return parent::execute($sql, $inputarr); + } + if ($this->fnExecute) { $fn = $this->fnExecute; $ret = $fn($this, $sql, $inputarr); |
