Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129658 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 94B5E1A00BC for ; Fri, 19 Dec 2025 14:23:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766154233; bh=hPKy/wtKyepVfzNUhyh4PdX1Q2GZxhNfGTyS1Ukle7Q=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=HZ7aBtbBNGIMmQuzsHTabsiWJ1BpmwFDJrZQIajzc/kyzXgLOp9Hw2Kic6n/X7oXf pOELlIyiHAMwSBNWM7qB24SuotXYuFmnvl/JlqjIgxLcmUjvj8+8VxfcJXJnSfnvhT BfLrlB3PVN5pE/Trx/MH8GaZd5Qt5RTVQ43rQ1E1/Bm2eapnSIGFXxJEzdRxiSK3Ny SJCtApjt4wLe2C6aALQiZAwQrWBz0zquTxsy7gqYVH2PYs7a6aeIyfhujlZdSllF0d pMbAPJUKe9M2yd4dA0Fjq+psd9KPGZURvCAk88DeqDZNuMIcDIOmHgzXIyXGBBU49a HNJhGV3c82Xfg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 685C9180542 for ; Fri, 19 Dec 2025 14:23:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 19 Dec 2025 14:23:52 +0000 (UTC) Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-37cef3ccb82so13117151fa.2 for ; Fri, 19 Dec 2025 06:23:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766154225; x=1766759025; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hPKy/wtKyepVfzNUhyh4PdX1Q2GZxhNfGTyS1Ukle7Q=; b=a3f5iVH+m2NMPLJy+5TkypjEDcmbNGbL1a6hNk801LBh20d0SqqhYbfzz6UsTeNgDF 0wd+U51coRMwkbacL4+cBwXRokoz3lCtgmokdrND+uUxTVFISBuobmjZiuhlVLGuX/Nm n4+cme+ZQN5MSvNjaLbbfu0MJkA+ye2Ffb5f6AADP7i3fwPOyXEs505PdASDXDirBQ0w sC2d5HO/++R5Qd6U64uPaIlCvL5doHSWuG6svY3G8gDiutT61qiwmfxU54FsJhJOKy5f t9AIydv6m7nD8RX7ToG2XKIhzOQzhjQoI/s4xkRAJ0AGtatgYKSHP/3rGUtXP1CmaG5n WhFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766154225; x=1766759025; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=hPKy/wtKyepVfzNUhyh4PdX1Q2GZxhNfGTyS1Ukle7Q=; b=la/zDTrECGcuuRZWZ6d2sDhj3D9E3Me0w94HiOBeOLHjeFG0ELkJW+2WCI+ihern+f BApygspYR7k0beAxFOpquXNxzUeZsRXW/7NqPWF4uWd6DA458TOPFTJiVDPi5Ch+XWDO FK2JnlFOyJP9nWYXKzGcDpCOA/jFPhrG4xnJYq1GSUcG2DhyM0LqYG9Mp6YO3Ujwg1/e mo23tHRvu+HQvECgFp1kp3Ej/oUnJBbg9JicVEbEQ7YwSwn04R88ek201IktUWGAuRTn Qsib6/oui4xMaicDdyfmScJopxCzlL05we+qoVJWYGGO8gEe61BfgDtEWyTRLeAlMoEn I4BA== X-Gm-Message-State: AOJu0YxM08wCpHlyAoFW3qKShHXgdMhERswFpBqKXrJlQ7zVyC4Obvqq IspTQKIqj8mkoW8tRwqRL6OA1+pn9zUpQ8T+LPYrwEFXDSpgMWwILYd2b+oTkgUELQ0e0Xm2zfh gq7NTMH5uDxg+LQggC86dFQT5ol58XQrvoAH7 X-Gm-Gg: AY/fxX4J/fQe+wC3r4zOoc0gG2SdeN46Nl1rXvWUouO3oojWSkEAVq/m1eVf2Scd+6w DEbA8R3bMzqQPprDnvj+Ct6aNT1V2f1TFbKaWIMzccHSJ0B+o9D3Oh7o72DM8kYF7psvFoJ0pWx TFdafstGYbxuex3oVOne12HI+iqk0KFIgwKRZ1t0itClYJd6CljDnmkSNYNgNNRBFSeXZN5skct XzWgzwN0OmUkFHGBQsDcRjD+8S6KPXpCHFdqAbfLtLEBS5MB0Pfdm17W98ZunTyN38KWuU= X-Google-Smtp-Source: AGHT+IFubgf6jCcVCiCfKJPXWmeeTqAbTlaTsDhSUp6JeI07OVUZXRgdcVDjN6gLaT+hHBfK3Eo3viOFvkVhdvSAWEw= X-Received: by 2002:a2e:b8c5:0:b0:372:8d61:c26f with SMTP id 38308e7fff4ca-38121605c79mr8482551fa.11.1766154225229; Fri, 19 Dec 2025 06:23:45 -0800 (PST) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: <23051439-6f0d-4175-b632-3b943582bfe0@beccati.com> In-Reply-To: <23051439-6f0d-4175-b632-3b943582bfe0@beccati.com> Date: Fri, 19 Dec 2025 14:23:34 +0000 X-Gm-Features: AQt7F2oxgFKhIj2YulVlpKdMCtKPQ5_qTDZFmJJPLwnRaZkEhopQLsmjfvzx1yI Message-ID: Subject: Re: [PHP-DEV] [RFC] New function mysqli_quote_string To: Matteo Beccati Cc: PHP internals Content-Type: text/plain; charset="UTF-8" From: tekiela246@gmail.com (Kamil Tekiela) On Fri, 19 Dec 2025 at 13:52, Matteo Beccati wrote: > > Hi Kamil, > > > Il 18/12/2025 22:03, Kamil Tekiela ha scritto: > > Hello, > > > > I would like to open a discussion about adding a new function to PHP > > > > https://wiki.php.net/rfc/mysqli_quote_string > > > > Would you support such an addition? > > I agree with you and I prefer PDO::quote()'s behaviour over the "old" > non-pdo quote functions. > > However, I also think that manually interpolating parameters is not a > best practice that we should encourage: query parameters are the a much > better defence against SQL injections. > > Also I'm afraid that offering two alternatives would increase the > confusion, especially if this new function is added only to mysqli and > not other prominent database extensions. > > > Cheers > -- > Matteo Hi Mateo, The new function isn't meant to encourage this practice. My RFC acknowledges that query parameters are the best, but unfortunately, manual escaping is a must for certain applications. What other extensions do you have in mind? PDO already has it, so does PostgreSQL with pg_escape_literal(). Every extension is different and they never have the exact same functions. In fact, what I am proposing is to bring mysqli in line with other extensions which already have it. The confusion it's going to cause is minimal. The behaviour is exactly the same as the old function, just that the quotation marks are added automatically. It's not rocket science. Regards, Kamil