Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129743
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 864181A00BC
	for <internals@lists.php.net>; Thu,  8 Jan 2026 20:43:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1767905003; bh=S+53kgkl/QcaylJSYX5H+eCpemJ0gSqzwuM8iOUR40k=;
	h=References:In-Reply-To:From:Date:Subject:To:From;
	b=FnzmOTBV11LwtsqA8/uvdQ2vMhxPsmNA9ulx33TFTdQAeH3+Wy4cFcTlYbNrkiPxl
	 B7QzXQDJdQvLYH8MbLpZuZsRFFAYuN/IgPvyXeg2rm4UvEcXPhSwzU7ffHYObPKXH6
	 ePmK2xMm0Lx5Bld+vq8w0PBI2+5fXU9otF/amC+ejlnozpupNEcmalQIS3CBuRDtcI
	 ZUk/WMwkI/b4uLOmplQUtejW3B8NDlt6RBlmHwe2lR0VGLBK+pHCramYvjVMg2+/qJ
	 +sYUhs9Y63Hj/3JJ1NkvxqWo2APVlQwTLe17Pdaup4lPfsva2jgOzOnzbBOXE9V//5
	 Jsm6RU/t85JoQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 441CA180041
	for <internals@lists.php.net>; Thu,  8 Jan 2026 20:43:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <tekiela246@gmail.com>
Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu,  8 Jan 2026 20:43:21 +0000 (UTC)
Received: by mail-lj1-f179.google.com with SMTP id 38308e7fff4ca-382fb6d38f7so19200031fa.3
        for <internals@lists.php.net>; Thu, 08 Jan 2026 12:43:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767904995; x=1768509795; darn=lists.php.net;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=S+53kgkl/QcaylJSYX5H+eCpemJ0gSqzwuM8iOUR40k=;
        b=UitcFo3WN5tTCyo5Y03+3JU/FbDKHjVZgmNQR9VNSOrZA9vkbLxe3ZeOc3EBht0/2D
         Cf3o5Lkg/LBHIW0rFsHKWovc6BT5+Wnh89hSVzsBY3DsN32Ch78PVVRHvoUEE2b0p5wC
         0h8ozCWKnxPo/HGr8fYeSYZIcgR/vOro9qp6gX4owOGUSQ/28yE9kSUckRI1pcYTww5W
         8CvJGwgt5JYobli0Qdb/LBtFvx1ML0cJz0SjXyG7dhee56FOr1uhBb8fyPqNRElOgeW5
         /4i3y74nLD7EFJocEf//T4nQke6jffelsnR3TOB8FklcES4KQl+M+KerYd5rB+URAXIq
         iVug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767904995; x=1768509795;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=S+53kgkl/QcaylJSYX5H+eCpemJ0gSqzwuM8iOUR40k=;
        b=dAA8F91iq9CkOUUJuktEePR8ZKLlcz/Ovd4AVKZ+NoyZloRpLgcYziv3NiLa9phSRs
         scP2XvhXjL3W/iVOcF0U1o+ImBH/utpQJyi91LdyQ6l2sYMAsZ30DxhfZP+y/5IzSLln
         JCrg87DISm4gc0jLa+i0ummZggEy4qyHPRKMLS9LRGGEwWyAip0g2vCGkDE5aTVSzrWp
         DYejsBsVxrJXagL96V85kNtkSBAgvE4+o52MdqCi49OzoEJgf2N+QEDXhkanFVAZB+hW
         ThwNoQlSy5ImpmPFAa0JFoMMR/MxButvUxlYxD1Xq2sA2j9DONbk8gHI0XsHLUaPmvyl
         CLTg==
X-Gm-Message-State: AOJu0YyMx+3l7j2Ip6nRw+qLoARi8DtEItxnqr6LZsiqWtADm+SP+Pcb
	JGqlUTgP/wckvOuaj3jyYpW+mrAhnXuij63mEp+0F0jrXmvxrW6224To3rYR5deotgc28YLqPvl
	HTNwm89WStGygMqPCtZtb53SPDTkWt3B7w/7q
X-Gm-Gg: AY/fxX4LtyASZXclHsOIEPAKAdGRHjiU+AdV3ltuxnqzvutV6yQ3+upnUVdT1WPFkI6
	tPrZUaq4q/rwynLTY8+EtGF96KTHv1xHPERVV0ychDP31ICMFhOs74Gki8L3ODZ0JJ/dPBkeOJY
	WAdp6m/Qjq++yu6hSLCAlYG7+dGeC97VtdqovvbQLoDsHBCCsrLKiSk84+1RVO4qO1uFkpZBfSK
	p0cLwjdZQcljdCBbYdyX/WAMNnjfOPpcpr4yOfdWbPd3xXdUWOj+9b14kqj/INo4zQcQQEdFrxW
	AJ2DlA==
X-Google-Smtp-Source: AGHT+IFOI/hTwK7n42/dC2ELC2onVOlNLMJXtA+QkCBWhxcyAcDlRxcGF7AsylmHGy6JEpPlm0whl5ZpnsW+Oe4e9AM=
X-Received: by 2002:a05:651c:31c5:b0:382:f8be:991c with SMTP id
 38308e7fff4ca-382ff7082f8mr17831421fa.20.1767904994592; Thu, 08 Jan 2026
 12:43:14 -0800 (PST)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <CAGBsUrcKTcCzf5k_tGbk=cr02NrsEKPE=Y+CeSOqMrrdjKFftg@mail.gmail.com>
In-Reply-To: <CAGBsUrcKTcCzf5k_tGbk=cr02NrsEKPE=Y+CeSOqMrrdjKFftg@mail.gmail.com>
Date: Thu, 8 Jan 2026 20:43:04 +0000
X-Gm-Features: AQt7F2oNYB42MqyR9PLtHODE2ePIWft7QK1FQVQcHD1xF09LiZOUQlGcH4DKvn8
Message-ID: <CAGBsUrePjfY6UrkTpV5c1jgZw0jwBmyf+mnFG-AAUJzMmeweAw@mail.gmail.com>
Subject: [PHP-DEV] Re: [RFC] New function mysqli_quote_string
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
From: tekiela246@gmail.com (Kamil Tekiela)

On Thu, 18 Dec 2025 at 21:03, Kamil Tekiela <tekiela246@gmail.com> wrote:
>
> Hello,
>
> I would like to open a discussion about adding a new function to PHP
>
> https://wiki.php.net/rfc/mysqli_quote_string
>
> Would you support such an addition?
>
> Regards,
> Kamil Tekiela

Hi All,

Despite receiving some criticism, I would like to bring it to a vote still.

If this method doesn't get added, then it means that this SQL
injection vulnerability will never be patched. Sure, most users have
probably switched to prepared statements and we should encourage
others to do so, but as long as manual escaping exists, it should be
reliable and not prone to hidden SQL injection.

Matteo said:
> I agree it's not rocket science to do add single quotes. Saying that
we need to do that in core to avoid users "accidentally forgetting the
quotation marks" seems a bit of an overstatement. If they had forgotten
the quotes, most of the times the query would error out rather than
silently working and allowing SQL-injection.

I don't want people to focus on the wrong part of the RFC. It's not
just about forgetting quotes. That is a problem the developer would
introduce themselves and is usually easily noticeable. The trouble is
when the user uses double quotes and thinks that everything is ok. The
main reason for this RFC is to provide SQL-injection safe function for
manual escaping of strings. The existing function leads users into a
false sense of security, as even when the data is escaped and quoted
in double quotes, it remains vulnerable to SQL injection. Putting a
warning into the PHP manual is certainly a good idea, but we could
provide a fixed function and help users even more.

It paints PHP in a bad light when we ask users to add quotation marks
manually around the return value of a function that should do it
automatically, and then we put a warning in the PHP manual saying that
while double quotes would work too, they are not SQL injection safe.
Why can't PHP just provide a function that wraps it in the correct
quotation marks instead?

Regards,
Kamil