Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129684 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 3D6071A00BC for ; Wed, 24 Dec 2025 03:26:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766546806; bh=wDbmQ1fpNjLZTvdEvaeFx+ADsiVCyzyN0IEZFBggIqs=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=nY+Bn9H/TwWuJaFZkcQZ33Pbu6N03pfVaBvEi14zFlXcd3mQ2YodVzirqXvymhR0y IgjeFSkPxioxhUCdBpreOzHR8iuTrQwIcOHsD799XgedBnULgVwq1JaBGeHtKCNTBb LjLbIJv/Tv9z3M98RD6QMwCjLjjuwriUzeI0yi8xXRIUpv18OhGeTzwFM60VkHhyzj niXaqZlXzQbq8K/V+BROR0yQQq0e4TOjrTNrSIj9DN+3I/oxSxNiHWsnU2n6nmqLQf K28eZRoIYsNRfsozru8tNeLmLBVlXKnVBO2WkaGEekgFP5D752KfVrCmOB3u8wgSAe hxjI1RkR3wk+w== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A82DB18003E for ; Wed, 24 Dec 2025 03:26:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 24 Dec 2025 03:26:45 +0000 (UTC) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-47774d3536dso43546215e9.0 for ; Tue, 23 Dec 2025 19:26:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; t=1766546799; x=1767151599; darn=lists.php.net; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=wDbmQ1fpNjLZTvdEvaeFx+ADsiVCyzyN0IEZFBggIqs=; b=T8/MNR3QCrRxyRepYnFeHmkL3fG8nz9PYUODepCYdbbjycdMmvzUTNxkhpTfmBQcVb /8rzufGuSi/Fz3mdA9aASoM91v6b3jHVyb7/r0ngbiJrsitxX3JwJfeZtkfDEEUKXXZX N8xN7vb398Ld8x4L7xLlRgoHHJfDKmwI4bo0M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766546799; x=1767151599; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=wDbmQ1fpNjLZTvdEvaeFx+ADsiVCyzyN0IEZFBggIqs=; b=fmUQY57HCvu1x+s0/0PMN6IOxcRL8d/DSNHVMSHSXRXzQIyVZuFhnmSwjH7s8QL95h gA+a4y90krmTwz0vBoIubG8myDB9rtNhtkCkJeynobVnCRkEuda33y+uQAq84ODqi0zw Uk/I2P7gJxytl2+27rao3putNllhpBDhDo/entuN0Z+cbPIHvjYOGdcqS4MC0a/bfp3+ NfxKWnme9sRhgddBHPyKM0bsZTHHuc/SdzsLJ7KN7xSb0pbj8weosiMeIilhM28LiC5X 9U+3NOvBTFxdBEKWsTcf3HbpYmfcQ1yu7L0md7tkB+mOo5vXiYQb7XEPHXwPqENZIO19 qUzg== X-Gm-Message-State: AOJu0YxIrLz66vvAxk4OIHLRd9Gj56OyZ3FL8aRtSpE+IXxVmFHqTeNW oKnzPyqoVlAqsd781UaZU7nN+fwVAivic6YiZ7ii6INHpWoaksdpjZGSfBIIeoKLHFs= X-Gm-Gg: AY/fxX5fmK0hZA+uR8puq4D6S9xGDqYz5CmN5X6QLiZ/zIlHtywDTX3So8a9sQ8g0cU fn0Q6FQvuZEEGZ9mvktGCbYDkZKvFu8wQm/N2R+nsrhU1UKxQMbh7lG1+8USKcmtP/wyMho8zam R/LvO0ks5LVZAUWv518i7SeiP6YbiwnHN7S++tQQudB4rJq1knSKa9Cya8DpieoNw7ahMjeS5OC MLYhBdETw+N5u9siIO0Qh3kmmMOeig4DY9ZzbnyUE2nGq0MvDRXRtDLF1h4S7dEmruPMC7Owun8 LlcnFjbu9PFbNmcPJMmys4og2l5DRoM2TRHn2FJktpkwYh0MItZTGqz/gKjrnRvGJOY+FPxOxSW 1CtUUycTgZ3npQURTeRYspmh57vL1n8aApKnbYom0S2Ip3RqrT9p7FBamx/FVrHAhYsZV7IpSib j0uWkt549hRVe3SE6vDMIT+X6XNK3Z4LCUvyEayBdteOk1K94UPw== X-Google-Smtp-Source: AGHT+IHbvY+gkal4x35xk/JV9ey7jcikW73HcFy7dsyUOVK/KjJgGIPmiCYLsqP9XGQ1g5CYfAFxFQ== X-Received: by 2002:a05:600c:8b11:b0:479:13e9:3d64 with SMTP id 5b1f17b1804b1-47d2d273999mr102640975e9.15.1766546799127; Tue, 23 Dec 2025 19:26:39 -0800 (PST) Received: from smtpclient.apple ([2a0e:1d47:ce0f:3c00:a92e:c09c:f569:d944]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d193cbc0bsm274169485e9.11.2025.12.23.19.26.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Dec 2025 19:26:38 -0800 (PST) Content-Type: text/plain; charset=us-ascii Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.200.81.1.6\)) Subject: Re: [PHP-DEV] [RFC] New function mysqli_quote_string In-Reply-To: Date: Wed, 24 Dec 2025 03:26:28 +0000 Cc: PHP internals , Kamil Tekiela Content-Transfer-Encoding: quoted-printable Message-ID: References: <23051439-6f0d-4175-b632-3b943582bfe0@beccati.com> To: Matteo Beccati X-Mailer: Apple Mail (2.3864.200.81.1.6) From: craig@craigfrancis.co.uk (Craig Francis) On 20 Dec 2025, at 07:49, Matteo Beccati wrote: > [...] Saying that we need to do that in core to avoid users = "accidentally forgetting the quotation marks" seems a bit of an = overstatement. If they had forgotten the quotes, most of the times the = query would error out rather than silently working and allowing = SQL-injection. I wish most of the time it would error... exhibit A, found a couple of = weeks ago. $db->query('SELECT name FROM user WHERE id =3D ' . = $db->real_escape_string($_GET['id'])); Just as an aside, Kamil, I like your proposal; while I hope that one day = parameterised queries are used by everyone, we still live in a world = where developers escape values themselves, and your proposal would = reduce the chance of them making mistakes. Craig