Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115451 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 14161 invoked from network); 17 Jul 2021 09:34:54 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 17 Jul 2021 09:34:54 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 23BC71804C8 for ; Sat, 17 Jul 2021 02:59:22 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 17 Jul 2021 02:59:21 -0700 (PDT) Received: by mail-lf1-f51.google.com with SMTP id 8so20240987lfp.9 for ; Sat, 17 Jul 2021 02:59:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uj9Bq3Ike/Rivx5304DKtiBX6ymmXvhSID4zmeYvqA4=; b=OyT11I9ONGXXbGdsf6jo5cP4jUW0wvKXE048MMWa8u/aueQhG0EAPF1dhO0jI8adiI 1XdJXf5FVP6y72DOcIs2oX5utLmMsmouZcBCSc6Fa1o0BszWIfowjyxZ+ephlPIRAVOM KLKhSeWrUd03QBwHRwS2wz5Q7ku9ADia42i4o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uj9Bq3Ike/Rivx5304DKtiBX6ymmXvhSID4zmeYvqA4=; b=ga6S6yT29sh0JuDqQ259JDcEr6K2fefLCAvjJ4jfDK+DVkqYNE5/YLt6IXsxvDoYwG QuVjNU5bhtUXGY/WqRuOg27Rj/JnzItAff68fvT4+wL3OLMVhnlZD21JkHrcFFOl33CT zXp+MUbhHZJCZE4wRwltmsMrqVhvmssKImh53FHMKO3Q+2H008PCtyPYY037yVq4Ubaf uDn4y/h+/yCuEUDt+jW532IYygqD1AOlWDhLlo42y0bYtuqqxPlnTrgjmi2V6qs4cmBB mY0wXwypeeeQC7HfTW204kySAJ0QkZ0CPZkh5fx1q3kI9Jm1RB0yAYWckp3FQlCi4WAe 5+YA== X-Gm-Message-State: AOAM533QXiFl4cZMziUkqlQBdtJ4Ya99lNFGgKt5MtovFjFYoQK7CGSl 6mHUkclw4cFA107USJzcjR88XbgCwYVP1TVcQGPRYQ== X-Google-Smtp-Source: ABdhPJwoRJpq7etn/GSfL8oT97rOIUGgGNWtA5eguqsXHPoy8VB3WAIjMNdG0ZtowpxOWGPtFpF3dE/1+PzPs6YMV8M= X-Received: by 2002:a05:6512:75:: with SMTP id i21mr10957282lfo.519.1626515958257; Sat, 17 Jul 2021 02:59:18 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 17 Jul 2021 10:59:07 +0100 Message-ID: To: Hans Henrik Bergan Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000e9ef9405c74ec1e8" Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: craig@craigfrancis.co.uk (Craig Francis) --000000000000e9ef9405c74ec1e8 Content-Type: text/plain; charset="UTF-8" On Sat, 17 Jul 2021 at 08:59, Hans Henrik Bergan wrote: > i can tell from only that diff that, at least as of 5.5.1, woocommerce is > not compatible with @@SQL_MODE=ANSI_QUOTES :p Yep, and I did that years ago - I preferred to use single quotes for strings in PHP (so variables stood out), and double quotes for SQL. Just for fun, `NO_BACKSLASH_ESCAPES` is a good way to mess with people (I believe the "real" escaping method can catch this, but I wouldn't trust it). When it comes to escaping in general, my favourite mistake is: $sql = 'WHERE id = ' . $mysqli->real_escape_string($_GET['id']); Where the assumed to be number hasn't been quoted at all :-) PDO::quote() does work a bit better (by adding the quotes itself), but I still prefer its documentation - noting how the quoted string is only "theoretically safe", and that "you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters". https://www.php.net/manual/en/pdo.quote.php Craig --000000000000e9ef9405c74ec1e8--