Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:113310
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64825 invoked from network); 27 Feb 2021 18:03:04 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Feb 2021 18:03:04 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0518C1804B3
	for <internals@lists.php.net>; Sat, 27 Feb 2021 09:52:37 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 27 Feb 2021 09:52:36 -0800 (PST)
Received: by mail-wr1-f45.google.com with SMTP id f12so7908719wrx.8
        for <internals@lists.php.net>; Sat, 27 Feb 2021 09:52:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding:content-language;
        bh=omB2CopI7lHpV2ACvfBs/SBZ5+AuQu5e17U5H7/POCg=;
        b=O08v2oic26EYYz7uSjUcnKUXKemu8lA+CDZ+rTF35uCeomdvNkODQHPqymnyZwJen9
         C90qZki1Xsm0mUwchONX0K2+vfKkdRhXluC6/WZQEJbkSnG3fzhNgm8wLCJ+pMkyTG7m
         VMb5ILlQH2qCKG8hrM7S5deiUE8s8dKPZCidIbWF2ruu1t7gKPO2gZsuz16A0+A9VhSf
         TizU2dG4E6qkM9oKiHf9q++86uBEc74nBBeP1gSz1z+DXNOCFcZQ12F8UUOH/xZu0EYe
         h5E/m495JR3W8G4HTcNuPdxYzAL0HQ1LkQN16RJedFo9fhUi/8nFOtPKxvoc7dM/4Cgg
         qHyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=omB2CopI7lHpV2ACvfBs/SBZ5+AuQu5e17U5H7/POCg=;
        b=Zo6g1zqXpkz0MuNlrcO+6WngtZb5rQQk5i89vXd9DIEOp9DAvIc751avd9AZ601hqt
         hwFzOTGMElmrisQDMTNdhTNGzXjVVBaHTZRlM6S09j7No3DFyIgA4QYwugq4hTHcKT+s
         RV0JIQdeIKr3RWRZ+MhlOo/bsaXGvjKmgIpShGiO+C9DFDbIcz/B6ThcOT3QI2AbTPCw
         dz7bRfbOrOJpckQnSGkSD9Z/GeogdlgZTmZPpZxUyoCUC0pbTbRhBRNHNDehYlXgh7mA
         iFGTaw/6PliGCnaLw35oXGDdp2s6ihmUokDcCJnotWF8mKF6KYitY8FSRVslMoB3I7kt
         H5Kg==
X-Gm-Message-State: AOAM530pPLFTFl18JWiPuFhs/v6Bn/8mUu74JIOw1NVgz5ZgmOeFI2lD
	aFzCZVSgX980Jj9Xnyz/HPtRxgqZ9FI=
X-Google-Smtp-Source: ABdhPJwKuNFLZb3JBISAgO4IbeZzs/nE693QJ1d7DECQHpTLeW6cglzqog92pVUmY7bH6RqPc1K2qg==
X-Received: by 2002:adf:a4d0:: with SMTP id h16mr8792525wrb.52.1614448352771;
        Sat, 27 Feb 2021 09:52:32 -0800 (PST)
Received: from [192.168.0.22] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37])
        by smtp.googlemail.com with ESMTPSA id x13sm24448190wmj.2.2021.02.27.09.52.31
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sat, 27 Feb 2021 09:52:32 -0800 (PST)
To: PHP internals <internals@lists.php.net>
References: <CAGBsUrddzJQu3JtqCdLjyHOBf71gj5LpNKuV=OmYGm0Vd3n9Yw@mail.gmail.com>
 <CAF+90c8GDMs5f0i27n8gGNx_TvwqKH9CqsW8eSgEf+8mGrdyZA@mail.gmail.com>
 <84a86f15-313e-1fb3-eb09-7fd6bbdeb5ce@php.net>
 <821813eb972cd5dad30a0e10385a115a9a8908a2.camel@schlueters.de>
 <CAGBsUrfF5Xk+ne6fo46EivKN82OQeM=0yAcPe5r2y9-ZgPEYrw@mail.gmail.com>
 <2d9e003c-2a05-9cfa-8625-5aedf5b069f6@gmail.com>
 <CAGBsUrf2CNq33sQ1HLCAkzT+P1BaykYPfmf4Wsx0MZNtZUz+MQ@mail.gmail.com>
Message-ID: <445707c1-2b67-1f46-8d93-d9e0ca420b87@gmail.com>
Date: Sat, 27 Feb 2021 17:52:29 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <CAGBsUrf2CNq33sQ1HLCAkzT+P1BaykYPfmf4Wsx0MZNtZUz+MQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
Subject: Re: [PHP-DEV] [RFC]: Change Default mysqli Error Mode
From: rowan.collins@gmail.com (Rowan Tommins)

On 27/02/2021 16:57, Kamil Tekiela wrote:
>
>     If product_id is actually an integer column, this function is
>     technically broken: given a non-integer input, it will produce an
>     error
>     in the database.
>
>
> I'm sorry, but I do not understand why would that code produce an 
> error. The value is properly escaped and formatted so there should be 
> no error at all. Is this based on some SQL setting? That SQL looks 
> correct to me and I do not see any syntax errors.


That's precisely why it's the kind of code that goes unfixed for years, 
but it is broken: if $product_id is the string 'hello world', then this 
line...

$sql = "Select * From products Where product_id = '" . 
$dbWrapper->escape($product_id) . "'";

...produces this SQL:

Select * From products Where product_id = 'hello world'

If product_id is a column of type int, then the database will raise an 
error about incompatible types.


If the PHP database wrapper just swallows this error and returns false, 
then somewhere else in the code, you can write this:

$product = get_product($_GET['product_id']);
if ( ! $product ) {
    display_error_message('Sorry, we could not find that product.');
}

So although the code is wrong, the user always gets a reasonable error 
message. Now replace the database implementation with one that throws 
exceptions, and that message will never display; if you're lucky, 
there's a default exception handler set; if not, the user will get a 
blank white page.


Regards,

-- 
Rowan Tommins
[IMSoP]