Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129662
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 0979F1A00BC
	for <internals@lists.php.net>; Fri, 19 Dec 2025 22:45:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1766184355; bh=Ls/ZW+I6Pc6l+/NqcmpmPtrp4IFfjt7yr05Iv8oKEYY=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=k0yS09BuXIgjHutpU9oZNtw08wrmEdn/bKxGTxXylyQ3CkZowL6Micn+Wuas2c0Lk
	 8eCPhXGsiD+z4IFSozuQrgqP1EPYKnvtcbQ1HfbsXs+Vqrd279ScB4dKCSucCU0VnO
	 16Y4WRlF1aCEWNrloUuhcJiWCQCMl0mXSFXrqRm+Y9AE+xTcaBmpR6qDh+rS7ISZIA
	 fESBlXzkPwLvwnqrCfG2++Gn6mBbiF1iQXSzHYWz9oi4HND7KFnvEED1Ofxw4qnth3
	 8SQSTbhTDNdpuC3AM9oA/I3Enf9AbvrINI9tT3P2I5xZ8dM4fbbtHziduXzpNpMhQu
	 qYx7Bibpk/tow==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 978E31801D7
	for <internals@lists.php.net>; Fri, 19 Dec 2025 22:45:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <ocramius@gmail.com>
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 19 Dec 2025 22:45:51 +0000 (UTC)
Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-34abc7da414so1953462a91.0
        for <internals@lists.php.net>; Fri, 19 Dec 2025 14:45:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766184345; x=1766789145; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=Ls/ZW+I6Pc6l+/NqcmpmPtrp4IFfjt7yr05Iv8oKEYY=;
        b=mA9iohxzgIX6M1DVWwKGslof+zYN2sOL+ABDswjSq3574gEuKVQs+A21CmmjDVwvZJ
         u5VpEm1Q4pj1HKfkxBA+eJ0WQTNmpD9PkYaCcoERdcopRkLjNGRIapBojn7xr9XMsQK1
         LM5qIDR1+hGrV/I+J6NgeAQU3JsQZ8nlnEWDK8EUIcVhhTio23He6tZDTV+2B3ye0xs4
         HXz051B9N0Tm5SHAxKOLjHNfPHqjZgU7Pj2P3+HxqqugcXBTc1aMOtNpkz/0ztpb+3f5
         v+ti6+5npry9sGOclPEE1KLcAQJXWW0nZUP4zfdvYZb9N8hBai9XStF7h58h0VZIfWt9
         zyzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766184345; x=1766789145;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Ls/ZW+I6Pc6l+/NqcmpmPtrp4IFfjt7yr05Iv8oKEYY=;
        b=aIJd/ZFNNNiXz4IIQd5A5//wbIAGLph+eMeA6mJ78cCwwFNwNS5lfqwYMDl0saubPP
         EUut7SIwhvBuc0ffoQWDWophB7WYRWyMLcOSri3RqeAxbGVrSr5WMJPA7hzQAMxGlaqr
         /C29jKwCibYvulRj5i80bV/825BpBg39NJWWCv7J9WP0h2Y6ctQA8iSBM+ZxUa8a0vuv
         JIuhgfmYVDEyK8OACVYuHtQc/ZPK6tLYxobfOEEd1vUF9s6m+VMWw7S6mInIdrrXHJ8M
         fw8fVbGRaJlrcV+4m5xResCQkbwv6MPPBaCY9Ttvrtx76yhyLrgdHl1wobLGLyhXLjzL
         RTnA==
X-Gm-Message-State: AOJu0Yyo6wIKhgoocm5z+N/NJDJ5wc41fLngyGvHNkjIIxD7npNxywZD
	PTmtphZaxUUk2D4WyXY+Cd/wDe3C2aue7vEtawxmx+w5eV03ujKpqBjhazPY9Xa8Pxvnyq9FupN
	2gwlgecYdWtct6g16G9GTE9Sckw+w7p3aBw==
X-Gm-Gg: AY/fxX5uIKxgRiyBWB+RlmIe9ApUWsduYGG/xmCsoofl9smyPrf140L0s4ZBNrKypEO
	fHf+sK7fcO0v2cBxt/nqGCPjL92zLtxD4n2uFDdEyFqjtn9DOICEPo40QgpPN0TvKtfVSdkoGjP
	nXKcXA++oMxWv1fVSGKFFe+uL+eEmAxzEDrSBMulEDjB/r5q0JLV+hGa20Q7rTUHRFEBwdExQ6T
	BCYkUAlx+T58loN4TU4NW0XfdGoQH/tyfuA0A8Hl272uurZpZ3dSiDgAOrbrYmrefLi7xRyA7VB
	g127m6MQUvRdqzPs8K8JvVVpy1ak
X-Google-Smtp-Source: AGHT+IG3lzJqxEdTsYrgWLLWYHAvJCCAabcflRjzx8SgLXw4OqFqPg2uxsg1WFI0LTmxc8MkMIfxwJvk2/s2w2p1M/s=
X-Received: by 2002:a17:90b:5150:b0:340:a5b2:c305 with SMTP id
 98e67ed59e1d1-34e9211c3e6mr3350368a91.2.1766184345217; Fri, 19 Dec 2025
 14:45:45 -0800 (PST)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <CAGBsUrcKTcCzf5k_tGbk=cr02NrsEKPE=Y+CeSOqMrrdjKFftg@mail.gmail.com>
 <23051439-6f0d-4175-b632-3b943582bfe0@beccati.com>
In-Reply-To: <23051439-6f0d-4175-b632-3b943582bfe0@beccati.com>
Date: Fri, 19 Dec 2025 23:45:32 +0100
X-Gm-Features: AQt7F2o-agfpNGGUZnMEiSJFVthlwYoZ19LHKagb39pRRUutTQ_s-1Z_bNglb74
Message-ID: <CADyq6sJtmcGmog1B4M9LR9CjWCj_2cCZJ=Stz0WhexwhSh78Ug@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] New function mysqli_quote_string
To: Matteo Beccati <php@beccati.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000812e4f064655d67a"
From: ocramius@gmail.com (Marco Pivetta)

--000000000000812e4f064655d67a
Content-Type: text/plain; charset="UTF-8"

Hey Kamil, Matteo,

I initially looked at the mail by Kamil, and thought this was about
quoting, to which I told myself "fine, that's useful".

After reviewing the contents, plus Matteo's response, it is clear to me
that this is another attempt at escaping aimed at string interpolation.

I'd be opposed to that, even just for the fact that we're adding more tools
to a toolbox that should instead point at prepared statements.
Projects like PHPMyAdmin have vast experience in handling this sort of API,
and they should just do it themselves. BTW, it would be interesting to show
exactly (in the RFC text) why/where these projects can't use prepared
statements.

If you were to propose something about quoting (with the correct backtick
syntax, perhaps even based on the current set SQL compatibility mode), then
that could be marginally interesting.

Greets,

Marco Pivetta

https://mastodon.social/@ocramius

https://ocramius.github.io/


On Fri, 19 Dec 2025 at 14:52, Matteo Beccati <php@beccati.com> wrote:

> Hi Kamil,
>
>
> Il 18/12/2025 22:03, Kamil Tekiela ha scritto:
> > Hello,
> >
> > I would like to open a discussion about adding a new function to PHP
> >
> > https://wiki.php.net/rfc/mysqli_quote_string
> >
> > Would you support such an addition?
>
> I agree with you and I prefer PDO::quote()'s behaviour over the "old"
> non-pdo quote functions.
>
> However, I also think that manually interpolating parameters is not a
> best practice that we should encourage: query parameters are the a much
> better defence against SQL injections.
>
> Also I'm afraid that offering two alternatives would increase the
> confusion, especially if this new function is added only to mysqli and
> not other prominent database extensions.
>
>
> Cheers
> --
> Matteo
>

--000000000000812e4f064655d67a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hey Kamil, Matteo,</div><div><br></div><div>I initial=
ly looked at the mail by Kamil, and thought this was about quoting, to whic=
h I told myself &quot;fine, that&#39;s useful&quot;.=C2=A0</div><div><br></=
div><div>After reviewing the contents, plus Matteo&#39;s response, it is cl=
ear to me that this is another attempt at escaping aimed at string interpol=
ation.</div><div><br></div><div>I&#39;d be opposed to that, even just for t=
he fact that we&#39;re adding more tools to a toolbox that should instead p=
oint at prepared statements.</div><div>Projects like PHPMyAdmin have vast e=
xperience in handling this sort of API, and they should just do it themselv=
es. BTW, it would be interesting to show exactly (in the RFC text) why/wher=
e these projects can&#39;t use prepared statements.</div><div><br></div><di=
v>If you were to propose something about quoting (with the correct backtick=
 syntax, perhaps even based on the current set SQL compatibility mode), the=
n that could be marginally interesting.</div><div><br></div><div>Greets,</d=
iv><div><br></div><div><div dir=3D"ltr" class=3D"gmail_signature" data-smar=
tmail=3D"gmail_signature"><div dir=3D"ltr">Marco Pivetta <br><br><a href=3D=
"https://mastodon.social/@ocramius" target=3D"_blank">https://mastodon.soci=
al/@ocramius</a><br><br><a href=3D"https://ocramius.github.io/" target=3D"_=
blank">https://ocramius.github.io/</a><br></div></div></div><br></div><br><=
div class=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"g=
mail_attr">On Fri, 19 Dec 2025 at 14:52, Matteo Beccati &lt;<a href=3D"mail=
to:php@beccati.com">php@beccati.com</a>&gt; wrote:<br></div><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">Hi Kamil,<br>
<br>
<br>
Il 18/12/2025 22:03, Kamil Tekiela ha scritto:<br>
&gt; Hello,<br>
&gt; <br>
&gt; I would like to open a discussion about adding a new function to PHP<b=
r>
&gt; <br>
&gt; <a href=3D"https://wiki.php.net/rfc/mysqli_quote_string" rel=3D"norefe=
rrer" target=3D"_blank">https://wiki.php.net/rfc/mysqli_quote_string</a><br=
>
&gt; <br>
&gt; Would you support such an addition?<br>
<br>
I agree with you and I prefer PDO::quote()&#39;s behaviour over the &quot;o=
ld&quot; <br>
non-pdo quote functions.<br>
<br>
However, I also think that manually interpolating parameters is not a <br>
best practice that we should encourage: query parameters are the a much <br=
>
better defence against SQL injections.<br>
<br>
Also I&#39;m afraid that offering two alternatives would increase the <br>
confusion, especially if this new function is added only to mysqli and <br>
not other prominent database extensions.<br>
<br>
<br>
Cheers<br>
-- <br>
Matteo<br>
</blockquote></div>

--000000000000812e4f064655d67a--