queries to be emulated by the driver. This means that even though the client
library (mysqlnd or libmysql) may support prepared statements, PDO will never
really use them.
It goes on to say that this was originally done like this because MySQL 5.1.16 and earlier don't cache prepared statements and this works around that. I can sort of understand that... But it's been like five and a half years since that was fixed, and we are still defaulting to this!
Does anybody know what kind of performance and security implications this has? The main reason I use prepared statement in the first place is to avoid any possibility of SQL injection that might occur due to a bug in the escape code. That assurance is - theoretically at least - lost when this is enabled. I'd also imagine that the otherwise unnecessary escaping + injecting + parsing that occurs could have some small performance penalty. (Which I'm planing to test later.)
What I find most interesting about this is the lack of documentation. While the constant that can be used to disable this behavior (PDO::ATTR_EMULATE_PREPARES) is listed in the PDO predefined constants list, it is neither explained there nor in the PDO_MySQL page. I didn't even know, nor suspect, that this was an issue before I accidentally stumbled upon that feature request.