Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129659
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 4EE521A00BC
	for <internals@lists.php.net>; Fri, 19 Dec 2025 15:10:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1766157035; bh=nwYOLGCL0OhYvaQg1U5izI4TSgpLL0U3RfT5CW+rU2w=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=gwvgsZDAMU1E+QzBkV5R3hb1jG43+xcXGTlXDzfo6DdZT8jtJfZ9b1gqJN5tfdHe3
	 z456VrceOyjEbEmqOhWIZIesYvgFYAfslNtYC+4ph8zdGw8fm5E54cPhVi08TXYAlL
	 l1hGC6JpgHzFdex7yzQY/nu1yVhM2R8Xw1nEMbIuVrci9yNEIsb94tkoDUUA6NSJlT
	 XDP8cU+piDoJFOmcqE1BxOlpe6+t+EJZG/JvAhVuyAPC86Xz0RgBvnhwwI5FIvHiBx
	 +V3xfgi4qObJyvgRes2QsZhCu5HFitOI42pVlHGO7yxdgnk/xDcZhoQb9Px13CHGYf
	 /B86rjbbIdz+g==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B36F3180057
	for <internals@lists.php.net>; Fri, 19 Dec 2025 15:10:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	T_SPF_TEMPERROR autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <divinity76@gmail.com>
Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 19 Dec 2025 15:10:31 +0000 (UTC)
Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-34aa62f9e74so2348758a91.1
        for <internals@lists.php.net>; Fri, 19 Dec 2025 07:10:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766157025; x=1766761825; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=F3fXRR1yzFuU0J9zNcr5mVUWa7N/N2JZshCOQ5X+6no=;
        b=nXcCw9+Byg8B2tEImwrxCJ5+2HWBOkKm8i6RYX8v7oBRcnib5Qx/LTcT+oMvgLVIo9
         aXrY31hmuN1ctYj+CivpH5UjCNj9yMF+nrOTqJMgkT8wn3XXcrsHM7u4XlPSbxsPa0A2
         e7bJCK9g8hMDXqW0whGYbcEgh650f/cSDBkOOvIXzm/zbGaNnwSn/QBy8S/pyA/C/IPy
         dmxKmQqV2LtfOEfCQCUIiWFTwVpJie10+0fOjRsz0bLTLj89uFObHqJDZaHA6jnaCwLd
         q4/d8bBmk0nHQJ1bIyaUeOgAet0AkrU/Euk6qIkcKCi3H8DE3MfFf8a8nqqCD8xasU0S
         FalQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766157025; x=1766761825;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=F3fXRR1yzFuU0J9zNcr5mVUWa7N/N2JZshCOQ5X+6no=;
        b=p5j0Xo7PNN6Leng9rkKuA9HJIxAE2c2tE5h7q+wpBmCc4p7ycdg3aUK40MbNsoxBn7
         Rj+icq/cFUXvRqvmJMilz8sKRA3FnNET8hcvOfNqW/Mtxt7NR3JDzUSuno7r2AnnNPK1
         qc5wzdGq4uEZDyLB2wkqF4OUADYhLXzgGxLGY1TYIqqAZ33cfjEh6Kc0iMHDBGuDBpVW
         ZuD70vo+FqDYrsxpA9EgdmMyjRSDZekqfkI1Rzwa08qxzLN977R/x8ETfe1Sb/hoGJZ7
         EML+NAb3nOHXrbNIqPaQbcktNSM8d/bWh1z7lL4lOu1rpy+mEDc6LmHAcq487tcodfW3
         QE+Q==
X-Forwarded-Encrypted: i=1; AJvYcCW37i/9WeRWWzeIuq3Hkk2Cpn6coE3RBHm4IsgyRMaZpLHDdD+Gc+znAbZeCVFthNVl4wacOGsmqsA=@lists.php.net
X-Gm-Message-State: AOJu0Yxaxpor5iPVx3BHMoBtKnm1qULP1Q4JUZhTjZzb4ttoJOGYu95J
	CaLoT4TbOlNP8CoftE1kC7uYn7UuGrQ9kmRGYYJdPY0uK92w0iODu3CZqwgvx1A0gZhHmSF+SmF
	y8QIFgaQEq9Guh7jDmHmlZnMwnqXtsuWKu1t1D9M=
X-Gm-Gg: AY/fxX4E5Hc8kOq/nhoaInmNwOmu6HfHVCJhU8Hq1S0XphhC7FDifZH0WqS2wzZPG+8
	XRikYQLB+T7+elkUvKGoKucnMzDzJQafCT5qisri21du/XNdUMG4YkO4OKH80fEOO8MyK7w8iH7
	WVZ7ACNoENG5ivKNDRVlwEjhCPRBK5VbmYNzNzNmPQVi8BoceMA2e15x0iwZ4P56kLF0d04b3je
	OeonGPm059EIPQLwDYxduFNvT3MFPAAUKXYxcwLdRrrM24/O2RKeN0vgfK8LzBHoeljt+FMCNh/
	h8QzSx62hdizIMjrVQ7Nn+0I0Og=
X-Google-Smtp-Source: AGHT+IGmSFgi9osBvZDpyxl7zBfDMSuIaSTuCeLcNZlt/MGG4YWdeUJ22Fu+wD0ATnAZuqwnYlWJkTBDZUzVLC117Bo=
X-Received: by 2002:a17:90b:28cf:b0:34c:9cf7:60a0 with SMTP id
 98e67ed59e1d1-34e921221aemr2485213a91.5.1766157025198; Fri, 19 Dec 2025
 07:10:25 -0800 (PST)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <CAGBsUrcKTcCzf5k_tGbk=cr02NrsEKPE=Y+CeSOqMrrdjKFftg@mail.gmail.com>
 <23051439-6f0d-4175-b632-3b943582bfe0@beccati.com> <CAGBsUrfwRdKj=i3xQeMx+kJ-_=g1Db0D-mBpxhTeRC56kVZPxw@mail.gmail.com>
In-Reply-To: <CAGBsUrfwRdKj=i3xQeMx+kJ-_=g1Db0D-mBpxhTeRC56kVZPxw@mail.gmail.com>
Date: Fri, 19 Dec 2025 16:09:32 +0100
X-Gm-Features: AQt7F2pzbUUsUXMzGxtukkZnnkIXbNVJ5kHpmnh3JYJfree5l5IO0E7ByX11hdM
Message-ID: <CAJmy8YEZmC0yEA_QyJnj4TGS1quXqV2MfaUsVQSeXSzkNXsBuA@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] New function mysqli_quote_string
To: Kamil Tekiela <tekiela246@gmail.com>
Cc: Matteo Beccati <php@beccati.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000001ac58e06464f7a5f"
From: divinity76@gmail.com (Hans Henrik Bergan)

--0000000000001ac58e06464f7a5f
Content-Type: text/plain; charset="UTF-8"

On Fri, 19 Dec 2025 at 15:26, Kamil Tekiela <tekiela246@gmail.com> wrote:

> On Fri, 19 Dec 2025 at 13:52, Matteo Beccati <php@beccati.com> wrote:
> >
> > Hi Kamil,
> >
> >
> > Il 18/12/2025 22:03, Kamil Tekiela ha scritto:
> > > Hello,
> > >
> > > I would like to open a discussion about adding a new function to PHP
> > >
> > > https://wiki.php.net/rfc/mysqli_quote_string
> > >
> > > Would you support such an addition?
> >
> > I agree with you and I prefer PDO::quote()'s behaviour over the "old"
> > non-pdo quote functions.
> >
> > However, I also think that manually interpolating parameters is not a
> > best practice that we should encourage: query parameters are the a much
> > better defence against SQL injections.
> >
> > Also I'm afraid that offering two alternatives would increase the
> > confusion, especially if this new function is added only to mysqli and
> > not other prominent database extensions.
> >
> >
> > Cheers
> > --
> > Matteo
>
> Hi Mateo,
>
> The new function isn't meant to encourage this practice. My RFC
> acknowledges that query parameters are the best, but unfortunately,
> manual escaping is a must for certain applications.
>
> What other extensions do you have in mind? PDO already has it, so does
> PostgreSQL with pg_escape_literal(). Every extension is different and
> they never have the exact same functions. In fact, what I am proposing
> is to bring mysqli in line with other extensions which already have
> it.
>
> The confusion it's going to cause is minimal. The behaviour is exactly
> the same as the old function, just that the quotation marks are added
> automatically. It's not rocket science.
>
> Regards,
> Kamil
>

btw pg_escape_literal is mis-named. it does not escape - it quotes.
And there is an important difference between escaping and quoting,
at least for SQLite, it is impossible to make a binary-safe escape()
function,
but it's fully possible to make a binary-safe quote() function
(see https://github.com/php/php-src/pull/13972 )

IMO  pg_escape_literal should be renamed pg_quote_literal.

--0000000000001ac58e06464f7a5f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote g=
mail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, 19 Dec =
2025 at 15:26, Kamil Tekiela &lt;<a href=3D"mailto:tekiela246@gmail.com">te=
kiela246@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote=
" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);=
padding-left:1ex">On Fri, 19 Dec 2025 at 13:52, Matteo Beccati &lt;<a href=
=3D"mailto:php@beccati.com" target=3D"_blank">php@beccati.com</a>&gt; wrote=
:<br>
&gt;<br>
&gt; Hi Kamil,<br>
&gt;<br>
&gt;<br>
&gt; Il 18/12/2025 22:03, Kamil Tekiela ha scritto:<br>
&gt; &gt; Hello,<br>
&gt; &gt;<br>
&gt; &gt; I would like to open a discussion about adding a new function to =
PHP<br>
&gt; &gt;<br>
&gt; &gt; <a href=3D"https://wiki.php.net/rfc/mysqli_quote_string" rel=3D"n=
oreferrer" target=3D"_blank">https://wiki.php.net/rfc/mysqli_quote_string</=
a><br>
&gt; &gt;<br>
&gt; &gt; Would you support such an addition?<br>
&gt;<br>
&gt; I agree with you and I prefer PDO::quote()&#39;s behaviour over the &q=
uot;old&quot;<br>
&gt; non-pdo quote functions.<br>
&gt;<br>
&gt; However, I also think that manually interpolating parameters is not a<=
br>
&gt; best practice that we should encourage: query parameters are the a muc=
h<br>
&gt; better defence against SQL injections.<br>
&gt;<br>
&gt; Also I&#39;m afraid that offering two alternatives would increase the<=
br>
&gt; confusion, especially if this new function is added only to mysqli and=
<br>
&gt; not other prominent database extensions.<br>
&gt;<br>
&gt;<br>
&gt; Cheers<br>
&gt; --<br>
&gt; Matteo<br>
<br>
Hi Mateo,<br>
<br>
The new function isn&#39;t meant to encourage this practice. My RFC<br>
acknowledges that query parameters are the best, but unfortunately,<br>
manual escaping is a must for certain applications.<br>
<br>
What other extensions do you have in mind? PDO already has it, so does<br>
PostgreSQL with pg_escape_literal(). Every extension is different and<br>
they never have the exact same functions. In fact, what I am proposing<br>
is to bring mysqli in line with other extensions which already have<br>
it.<br>
<br>
The confusion it&#39;s going to cause is minimal. The behaviour is exactly<=
br>
the same as the old function, just that the quotation marks are added<br>
automatically. It&#39;s not rocket science.<br>
<br>
Regards,<br>
Kamil<br></blockquote><div><br></div><div>btw pg_escape_literal is mis-name=
d. it does not escape - it quotes.=C2=A0<br></div><div>And there is an impo=
rtant difference between escaping and quoting,</div><div>at least for SQLit=
e, it is impossible to make a binary-safe escape() function,</div><div>but =
it&#39;s fully=C2=A0possible to make a binary-safe quote() function<br></di=
v><div>(see=C2=A0<a href=3D"https://github.com/php/php-src/pull/13972">http=
s://github.com/php/php-src/pull/13972</a> )</div><div><br></div><div>IMO=C2=
=A0
pg_escape_literal should be renamed pg_quote_literal.</div></div></div>

--0000000000001ac58e06464f7a5f--