Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129664 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id E8F521A00BC for ; Sat, 20 Dec 2025 07:49:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766216952; bh=6W+RAQQtAPnTzfs0VAXpBYSsZNmkwkht09t1OntZ0/I=; h=Date:From:Subject:To:Cc:References:In-Reply-To:From; b=E02MNv87jOJUWK1twddVrIRxOJgVYQ+bSdgR07hasx/VYFoClbXShwcHx4p81o4Q+ iqTvSt6kSsDRCSDRANuICwKX9zzLAsT3dx+vG4qpgKfuUqXlCQn+LUZgJBDAl8LiNO obKMpaYv+2VvHonjoKBEFpZrN4cmWdRcA/MPuGARJPXZcsYCfZZ+/XolFOqrmcajEv hHxwRgQjCIedozS0yODv6AqEtw4tzA3HyMRDeq73bCPqkYtZ1JqJN8tN83qU56sHcA 7llLUOYKHT/8LrAn9t/crlU+wbmM6FwfHlBUc0jI+riL0UM5NNwqxdZ2eKdAgYUAMG MOgYxbjew3VtQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A7158180054 for ; Sat, 20 Dec 2025 07:49:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,RCVD_IN_DNSWL_LOW, SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from fhigh-b5-smtp.messagingengine.com (fhigh-b5-smtp.messagingengine.com [202.12.124.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 20 Dec 2025 07:49:11 +0000 (UTC) Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfhigh.stl.internal (Postfix) with ESMTP id 059C57A00DA; Sat, 20 Dec 2025 02:49:05 -0500 (EST) Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Sat, 20 Dec 2025 02:49:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beccati.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1766216945; x=1766303345; bh=1GUTxgeT5r7VIG4fdfs9eeBuZ2C85UzwtKfe0GSEqSc=; b= T29BMHrugxoZxPOZ0sN5DQlDSgX8l8EIkVd7kC2HzCjR75VLVIvgBGbLD0Wm2sHI 8xveDI6MkG2PaD/U066vvmh1IzDvxyuWz4mAxL+3J0N+qIBHc5pLSjwUeEKvr7K4 zW0EinVdASJNq6B4mgjWC9D9w6hz+YXwm68qWZ7/9pE2ZxDmxDSew99sOH1vq6Xh HRTkTYj83wRU+vdWxPkZre7XRut1jhZZ38MHO7o4h/kGT6NjjIN4vdYBAnsMoCT2 aApP5Jvq43HLHKcsqeL2XINiggISTP7uLufCK0z6FMEhk/4KxlWEpmkEbzMWP1qB AxvUW70+/buTKOjb1AeGWA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1766216945; x= 1766303345; bh=1GUTxgeT5r7VIG4fdfs9eeBuZ2C85UzwtKfe0GSEqSc=; b=E 9yVW9uOCWDIWdb7jCVK/ZCBT38beGcPWDuVfajtxH3t3fiD/43/wxEUKSBKfS8/p CxF5VPLBw2gnDBbmcjhkHVCTQIdOAWoY8i/9kPTectbdyZwpWnu9Xvz5x/Ym2uof 6i6ct928TwvH9oWPjP3lOXYPOAzXrVCH0t+Xex9UnGBjrp8pYG73LHuAiQj5Ci8F CbG9NWt7bBks/SucM3MdVJ/3Fgqxeh7Brs234sDPcyhGf6ySYeCS//FZf+PwDSrW g+W8Gj9+QoNsA/DLFaJPZkR3KO9weuLAQEapJFWSoUdTndq0XaQZGj6nl/PTyv9o sFuszD7/QpG+8JYPgiIyw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdehtdeivdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefkffggfgfhuffvvehfjggtgfesthejredttddvjeenucfhrhhomhepofgrthhtvgho uceuvggttggrthhiuceophhhphessggvtggtrghtihdrtghomheqnecuggftrfgrthhtvg hrnhepgeehleevjedvhefhgfekueevjeegteffudeuieejjedtudelfeduhfejhfelvdef necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhph essggvtggtrghtihdrtghomhdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphho uhhtpdhrtghpthhtohepihhnthgvrhhnrghlsheslhhishhtshdrphhhphdrnhgvthdprh gtphhtthhopehtvghkihgvlhgrvdegieesghhmrghilhdrtghomh X-ME-Proxy: Feedback-ID: i6f4c46c2:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 20 Dec 2025 02:49:05 -0500 (EST) Message-ID: Date: Sat, 20 Dec 2025 08:49:04 +0100 Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC] New function mysqli_quote_string To: PHP internals Cc: Kamil Tekiela References: <23051439-6f0d-4175-b632-3b943582bfe0@beccati.com> Content-Language: it, en-GB Autocrypt: addr=php@beccati.com; keydata= xjMEaPtBFBYJKwYBBAHaRw8BAQdAGO+tvY0cWWnQ/c8pKeza89usSCtuIU/rofMmYKRYhbTN IE1hdHRlbyBCZWNjYXRpIDxwaHBAYmVjY2F0aS5jb20+wo8EExYIADcWIQSAAgxDL6AQ85RP iXKBm68y9BDZAQUCaPtBFAUJBaOagAIbAwQLCQgHBRUICQoLBRYCAwEAAAoJEIGbrzL0ENkB LYIA/3T7lWVp+xMsxGf9o5YpzHAm5+lbwQEAMO/g5nKyk/rKAQCvq3DDNWoXjPam0s+5Pt0z zjzYM6qV/tjTzyPUBrHQB844BGj7QRQSCisGAQQBl1UBBQEBB0Ct/I7x5lWDgutczkl00Kg0 OwotLnLdeOfaU+bDkhGWIQMBCAfCfgQYFggAJhYhBIACDEMvoBDzlE+JcoGbrzL0ENkBBQJo +0EUBQkFo5qAAhsMAAoJEIGbrzL0ENkBX+4BAM3Qp4gVnybToqh7tB2HbyOYrExvX4m0p/t8 IIRF/QCbAQDV84mqLmyLOpigI5IQThXCaaTltA4IeTfVNjnVTv+XDw== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit From: php@beccati.com (Matteo Beccati) Hi, Il 19/12/2025 15:23, Kamil Tekiela ha scritto: > The new function isn't meant to encourage this practice. My RFC > acknowledges that query parameters are the best, but unfortunately, > manual escaping is a must for certain applications. Such application are certainly capable of adding single quotes? I don't think we really need to spoon-feed them with a brand new function after 25+ years everybody and their dog has been using real_escape_string(). > What other extensions do you have in mind? PDO already has it, so does > PostgreSQL with pg_escape_literal(). Every extension is different and > they never have the exact same functions. In fact, what I am proposing > is to bring mysqli in line with other extensions which already have > it. Apologies, I was referring to pg_escape_string(), which I had used back in the days. I didn't recall pg_escape_literal + identifier: they have been added 14 years ago and they are using the underlying libpq PQEscapeLiteral and PQEscapeIdentifier functionality to offer even better / safer escaping. Also ext/sqlite3 offers a non-binary safe escape function without quotes. > The confusion it's going to cause is minimal. The behaviour is exactly > the same as the old function, just that the quotation marks are added > automatically. It's not rocket science. I agree it's not rocket science to do add **single quotes**. Saying that we need to do that in core to avoid users "accidentally forgetting the quotation marks" seems a bit of an overstatement. If they had forgotten the quotes, most of the times the query would error out rather than silently working and allowing SQL-injection. As for single quotes vs other quote flavours, I reckon it should be documentation material, perhaps with a big yellow box like we do for charsets. Cheers -- Matteo