Hi Internals,
I would like to hear your opinions about the following page in the PHP manual:
https://www.php.net/manual/en/mysqli.examples-basic.php
Currently, this is the only "example" apart from the quick start
guide. There is a whole section
https://www.php.net/manual/en/mysqli.examples.php which suggests that
there were more or that there was meant to be more examples, however
there is only that one example now.
People have complained about the quality of this example for a number
of years, including myself. The page does not show best practices,
encourages SQL injection, poor error handling, and lacks prepared
statement example. As a result, it does more harm than good.
There are two possible solutions. 1. Get rid of the examples section.
2. Write a proper mysqli example. While I could create a PR suggesting
a better example, I would advise that we remove it completely. This
API is not suited to be used directly in business logic. This
functionality should be wrapped in a database abstraction layer. For
this reason, this example is not much more useful than the examples
located on each function's own page. Users writing abstraction
libraries are interested more in an example for a particular function
rather than an overall example.
What are your opinions? Would it be ok to remove that page?
Best Regards,
Kamil Tekiela
I would like to hear your opinions about the following page in the PHP
manual:
https://www.php.net/manual/en/mysqli.examples-basic.php
Oh, wow, I didn't expect to find this on the PHP website:
$aid = (int) $_GET['aid'];
...
$sql = "SELECT actor_id, first_name, last_name FROM actor WHERE actor_id =
$aid";
if (!$result = $mysqli->query($sql)) {
...
Please remove this as soon as possible.
Maybe just replace it with a link to this page:
https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
While I'm not a fan of mysqli bind_param (far too complicated for new
developers), it's needed to use mysqli safely (allows the SQL string to be
made entirely of programmer defined, safe literals, not tainted by external
sources).
e.g. this common mistake, which doesn't quote the escaped value, does not
consider NO_BACKSLASH_ESCAPES, and can still have encoding issues:
$sql = "SELECT actor_id, first_name, last_name FROM actor WHERE actor_id =
" . mysqli_real_escape_string($mysqli, $aid);
Craig
Hi Internals,
I would like to hear your opinions about the following page in the PHP
manual:
https://www.php.net/manual/en/mysqli.examples-basic.phpCurrently, this is the only "example" apart from the quick start
guide. There is a whole section
https://www.php.net/manual/en/mysqli.examples.php which suggests that
there were more or that there was meant to be more examples, however
there is only that one example now.People have complained about the quality of this example for a number
of years, including myself. The page does not show best practices,
encourages SQL injection, poor error handling, and lacks prepared
statement example. As a result, it does more harm than good.There are two possible solutions. 1. Get rid of the examples section.
2. Write a proper mysqli example. While I could create a PR suggesting
a better example, I would advise that we remove it completely. This
API is not suited to be used directly in business logic. This
functionality should be wrapped in a database abstraction layer. For
this reason, this example is not much more useful than the examples
located on each function's own page. Users writing abstraction
libraries are interested more in an example for a particular function
rather than an overall example.What are your opinions? Would it be ok to remove that page?
Best Regards,
Kamil Tekiela--
To unsubscribe, visit: https://www.php.net/unsub.php