> On 22 Jun 2021, at 20:39, Mike Schinkel <m...@newclarity.net> wrote:
>
>> On Jun 22, 2021, at 9:00 AM, Kamil Tekiela <tekiela...@gmail.com> wrote:
>>
>> Hi Mike,
>>
>> Please don't do this. We already have PDO with prepared statements. The data
>> must be bound. This is the secure way of writing SQL queries.
>
> The problem is that over 40% of the web currently runs on PHP code that using
> mysqli. That CMS does not support PDO nor prepared statements, and is
> unlikely to switch to it anytime some in the foreseeable future.
>
> A SQL object model parser and sanitizer could more easily be used
> incrementally by that CMS since PDO does not share connections with mysqli
> (AFAIK, anyway.)
>
(Resending from on-list address)
Apparently you didn't know mysqli supports parameterised queries?
Wordpress could have adopted parameterised queries when they grudgingly
switched to mysqli, years after both it and PDO were introduced.
There’s zero reason to believe they would adopt this unless forced to.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
