Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115027
Return-Path: <php-lists@koalephant.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73918 invoked from network); 22 Jun 2021 14:16:57 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Jun 2021 14:16:57 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 28E9D1804C9
	for <internals@lists.php.net>; Tue, 22 Jun 2021 07:35:14 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <php-lists@koalephant.com>
Received: from mail1.25mail.st (mail1.25mail.st [206.123.115.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 22 Jun 2021 07:35:14 -0700 (PDT)
Received: from smtpclient.apple (unknown [49.48.241.143])
	by mail1.25mail.st (Postfix) with ESMTPSA id A726260412;
	Tue, 22 Jun 2021 14:35:06 +0000 (UTC)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
In-Reply-To: <F861461F-D070-4808-8B2E-A9BBF753CE6C@newclarity.net>
Date: Tue, 22 Jun 2021 21:35:03 +0700
Cc: Kamil Tekiela <tekiela246@gmail.com>,
 PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <83D62559-0B87-4723-93B8-801905508E1F@koalephant.com>
References: <4FFA0160-1A05-4DA0-9C9A-79F778443A35@newclarity.net>
 <CAGBsUre=Asp+arHBWK0VdT-YdM=_3rR+WOhQQeghFVwsR+nGUg@mail.gmail.com>
 <F861461F-D070-4808-8B2E-A9BBF753CE6C@newclarity.net>
To: Mike Schinkel <mike@newclarity.net>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Subject: Re: [PHP-DEV] Sql Object Model Parser & Sanitizer (was [RFC]
 is_literal)
From: php-lists@koalephant.com (Stephen Reay)



> On 22 Jun 2021, at 20:39, Mike Schinkel <mike@newclarity.net> wrote:
>=20
>> On Jun 22, 2021, at 9:00 AM, Kamil Tekiela <tekiela246@gmail.com> =
wrote:
>>=20
>> Hi Mike,
>>=20
>> Please don't do this. We already have PDO with prepared statements. =
The data must be bound. This is the secure way of writing SQL queries.=20=

>=20
> The problem is that over 40% of the web currently runs on PHP code =
that using mysqli.  That CMS does not support PDO nor prepared =
statements, and is unlikely to switch to it anytime some in the =
foreseeable future. =20
>=20
> A SQL object model parser and sanitizer could more easily be used =
incrementally by that CMS since PDO does not share connections with =
mysqli (AFAIK, anyway.)
>=20

(Resending from on-list address)

Apparently you didn't know mysqli supports parameterised queries?
Wordpress could have adopted parameterised queries when they grudgingly =
switched to mysqli, years after both it and PDO were introduced.
There=E2=80=99s zero reason to believe they would adopt this unless =
forced to.