Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117601 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 83515 invoked from network); 25 Apr 2022 15:03:32 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 25 Apr 2022 15:03:32 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 470A2180384 for ; Mon, 25 Apr 2022 09:38:34 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 25 Apr 2022 09:38:33 -0700 (PDT) Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-2f7d19cac0bso47817537b3.13 for ; Mon, 25 Apr 2022 09:38:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TcpZROcvvIU43MDxgKmNz8yMCC14ypKfboho++V+9Xc=; b=pA7gQZ6Th/DLlagZi8sYSxXqLmwBjbKTk5P2kfaEMzG18vnYb3Uy+KxLrQUzv4ZpJc sCfereFLGGvCcBaW7KPIKLbgDn03l1KMYUhW4XTfAJSrGacDkLSiK2Z80+I1WmYsi15J xXDUtQfcB8evpkQOWJ5HA+oIC4bYFmIzcndU8IpvujVQ7zOSp0/i4T7wHG+7jJv6G/sh t2RsF1SwPPPaGuljaROCJkUUOskl0aMbMEEzhYK6IEelGakJWJIUcFd6IR7IzLRwjEVr Ya4sziOxJ7cC3Xo100Ihj+WrUalNvX6YMggOdd9JAvC6eMg49JcbPWdeZC2YWO6cN0tL Qh2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TcpZROcvvIU43MDxgKmNz8yMCC14ypKfboho++V+9Xc=; b=iCiB/LXSz/APZ/EgxUxDouWLaypPN4LmLgexNeliPCYyRA3wOQryHPnUoy6wuHQiLA CNB0TnWtdZu75tcQQA/Wkq8rdY9ki8bHAx2wUJ7w+NeJvO87F8fFnR2Kj1KEd40ximSI ibVLE7Lf3eoymf8ByoUW6LhPLwd5uE6xzWogdzfg/tgCDmsgLKLD8QnRVWKudtCHk6n5 wA7gCxXGNBpHMULSnVXeX7xxvvw4E5CBu+uctK18Hj22VfIURweN7OMkmbmjjI7zlnFj aEXuN67rBIN+1dj9JDVfHAI+oRBz/AtnMUJ066axyNOS33jxbMo/rzsTPLiMRJEKqROz txJg== X-Gm-Message-State: AOAM533nTStxA/e49Pb3BXsWXbsuZ1mptuh695NJqGI75RTm0PGOKKUp uuP8esaNFSN8z/6maVxWvV2cXASnw4jMKm8Myn6LuhdGBg== X-Google-Smtp-Source: ABdhPJwguDxOtqAeuuoBPuwNqQLfBBe5WwF+dArIMjv8GPw260HQnAyYx5FZrl8IawwC1B9mMJ7fcG00aj+jDG5JaAM= X-Received: by 2002:a0d:c583:0:b0:2e6:b1e7:a6b with SMTP id h125-20020a0dc583000000b002e6b1e70a6bmr17424781ywd.424.1650904713360; Mon, 25 Apr 2022 09:38:33 -0700 (PDT) MIME-Version: 1.0 References: <1804F385-5BB5-4614-8EB3-01042DCF0DD3@craigfrancis.co.uk> In-Reply-To: <1804F385-5BB5-4614-8EB3-01042DCF0DD3@craigfrancis.co.uk> Date: Mon, 25 Apr 2022 18:38:22 +0200 Message-ID: To: Craig Francis Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000ff771605dd7d34bb" Subject: Re: [PHP-DEV] MySQLi Execute Query RFC From: guilliam.xavier@gmail.com (Guilliam Xavier) --000000000000ff771605dd7d34bb Content-Type: text/plain; charset="UTF-8" On Mon, Apr 25, 2022 at 1:05 PM Craig Francis wrote: > On 22 Apr 2022, at 13:09, Guilliam Xavier > wrote: > > > https://wiki.php.net/rfc/mysqli_execute_query > > Thanks. Maybe add (or even start with) an example of mysqli_query(), to > show how "migrating to safer" would become easier? retro-fitting your > example of parameterised query: > > > > > Thanks Guilliam, that's a good idea. > > To keep it short, I've gone with a more traditional use of > `$db->real_escape_string()` with string concatenation, including a > classic mistake with missing quotes around integer values :-) > > I do like your example with `vsprintf()`, but I needed to replace the "?" > with "%s" as well, with made it look more complicated than pre-8.1 prepared > statements, I hope that's ok. > Of course that's "ok", you own your RFC ;) I had suggested [v]sprintf for brevity and similarity with your parameterised query examples and https://www.php.net/manual/en/mysqli.real-escape-string.php#refsect1-mysqli.real-escape-string-examples too, but concatenation is probably more "realistic" anyway... -- Guilliam Xavier --000000000000ff771605dd7d34bb--