Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112395 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 21300 invoked from network); 3 Dec 2020 10:35:25 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 3 Dec 2020 10:35:25 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 2D275180511 for ; Thu, 3 Dec 2020 02:03:19 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 3 Dec 2020 02:03:18 -0800 (PST) Received: by mail-wm1-f49.google.com with SMTP id a6so2187758wmc.2 for ; Thu, 03 Dec 2020 02:03:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XtKbJhKTy6wB0pWzAwT1PfZSkce5oQWE+wrNrCkAgGg=; b=IEyI8pBiUjm6Q8wLloPVFg1kU+XbkRWooKWVEbUF6QfbeD70QiN5npcV3v462RjnRT fzj1smjTiyiIAV+BOq0SCV/D8XWQK+6slancn/RjuT9aOM6NLh9evz0x6Z8Azuy6mcYX +o+1WVowpB3BdsMmGJU8bUWM8qI3RFMQhZYZA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XtKbJhKTy6wB0pWzAwT1PfZSkce5oQWE+wrNrCkAgGg=; b=AIfaG5JlPlaPN0Sq9ewY8kfyvuxiYgrmbqlhW3LDbdZgoo6nCKSFpmjggWozmUnv2u +tS+5a7sWni6ziBEt4PH75DqIcmk88rHpj8Ror1dnGyoqENAJRKl3qRIUpdeIDbCOczI qDFQFix/qxnDlrh0K2rK04dFrb+S1frnXP22cNNZBmWS9d6P0MTdsasHtEOluq7sFYTd GITkQMcroUuB4LkFcRiki8W3KaycbjvYAzde8pIJImk0iKFVkSSQdOKqBsZ8Q2F0tQhl xJDzIyqapSbh0U9jDSlhXy7mjMYMfPgb830Bs/uqLW1H58oFmT66kh9/AVTNiN8/1Lan BZng== X-Gm-Message-State: AOAM531uCXyK1A/lG7sLNXxK+feUbDBSjm+SSuULBMzl7Bg812kCyS2c TTAljevYuVcezfaPGhKwwkHHRoYyAs932fefnAC7Mg== X-Google-Smtp-Source: ABdhPJxpUyh5UHDkNuhxGd7tqOXUDqpP4ArGj0I78baVpy4Qt6aQn7XzXfmlGWyogFhfSoGLbitDE4iFf6MdZ9S82kw= X-Received: by 2002:a05:600c:d8:: with SMTP id u24mr2372361wmm.103.1606989795605; Thu, 03 Dec 2020 02:03:15 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 3 Dec 2020 10:03:04 +0000 Message-ID: To: Kamil Tekiela Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000ecd67805b58c775e" Subject: Re: [PHP-DEV] MySQLi extension basic examples From: craig@craigfrancis.co.uk (Craig Francis) --000000000000ecd67805b58c775e Content-Type: text/plain; charset="UTF-8" On Sat, 28 Nov 2020 at 16:26, Kamil Tekiela wrote: > I would like to hear your opinions about the following page in the PHP > manual: > https://www.php.net/manual/en/mysqli.examples-basic.php Oh, wow, I didn't expect to find this on the PHP website: $aid = (int) $_GET['aid']; > ... > $sql = "SELECT actor_id, first_name, last_name FROM actor WHERE actor_id = > $aid"; > if (!$result = $mysqli->query($sql)) { > ... Please remove this as soon as possible. Maybe just replace it with a link to this page: https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php While I'm not a fan of mysqli bind_param (far too complicated for new developers), it's needed to use mysqli safely (allows the SQL string to be made entirely of programmer defined, safe literals, not tainted by external sources). e.g. this common mistake, which doesn't quote the escaped value, does not consider NO_BACKSLASH_ESCAPES, and can still have encoding issues: $sql = "SELECT actor_id, first_name, last_name FROM actor WHERE actor_id = > " . mysqli_real_escape_string($mysqli, $aid); Craig On Sat, 28 Nov 2020 at 16:26, Kamil Tekiela wrote: > Hi Internals, > > I would like to hear your opinions about the following page in the PHP > manual: > https://www.php.net/manual/en/mysqli.examples-basic.php > > Currently, this is the only "example" apart from the quick start > guide. There is a whole section > https://www.php.net/manual/en/mysqli.examples.php which suggests that > there were more or that there was meant to be more examples, however > there is only that one example now. > > People have complained about the quality of this example for a number > of years, including myself. The page does not show best practices, > encourages SQL injection, poor error handling, and lacks prepared > statement example. As a result, it does more harm than good. > > There are two possible solutions. 1. Get rid of the examples section. > 2. Write a proper mysqli example. While I could create a PR suggesting > a better example, I would advise that we remove it completely. This > API is not suited to be used directly in business logic. This > functionality should be wrapped in a database abstraction layer. For > this reason, this example is not much more useful than the examples > located on each function's own page. Users writing abstraction > libraries are interested more in an example for a particular function > rather than an overall example. > > What are your opinions? Would it be ok to remove that page? > > Best Regards, > Kamil Tekiela > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > > --000000000000ecd67805b58c775e--