On Mon, Apr 25, 2022 at 1:05 PM Craig Francis <cr...@craigfrancis.co.uk> wrote:
> On 22 Apr 2022, at 13:09, Guilliam Xavier <guilliam.xav...@gmail.com> > wrote: > > > https://wiki.php.net/rfc/mysqli_execute_query > > Thanks. Maybe add (or even start with) an example of mysqli_query(), to > show how "migrating to safer" would become easier? retro-fitting your > example of parameterised query: > > > > > Thanks Guilliam, that's a good idea. > > To keep it short, I've gone with a more traditional use of > `$db->real_escape_string()` with string concatenation, including a > classic mistake with missing quotes around integer values :-) > > I do like your example with `vsprintf()`, but I needed to replace the "?" > with "%s" as well, with made it look more complicated than pre-8.1 prepared > statements, I hope that's ok. > Of course that's "ok", you own your RFC ;) I had suggested [v]sprintf for brevity and similarity with your parameterised query examples and https://www.php.net/manual/en/mysqli.real-escape-string.php#refsect1-mysqli.real-escape-string-examples too, but concatenation is probably more "realistic" anyway... -- Guilliam Xavier
