On 22 Apr 2022, at 13:09, Guilliam Xavier <[email protected]> wrote: > > https://wiki.php.net/rfc/mysqli_execute_query > > <https://wiki.php.net/rfc/mysqli_execute_query> > > Thanks. Maybe add (or even start with) an example of mysqli_query(), to show > how "migrating to safer" would become easier? retro-fitting your example of > parameterised query:
Thanks Guilliam, that's a good idea. To keep it short, I've gone with a more traditional use of `$db->real_escape_string()` with string concatenation, including a classic mistake with missing quotes around integer values :-) I do like your example with `vsprintf()`, but I needed to replace the "?" with "%s" as well, with made it look more complicated than pre-8.1 prepared statements, I hope that's ok. Craig
