On Fri, 19 Dec 2025 at 13:52, Matteo Beccati <[email protected]> wrote: > > Hi Kamil, > > > Il 18/12/2025 22:03, Kamil Tekiela ha scritto: > > Hello, > > > > I would like to open a discussion about adding a new function to PHP > > > > https://wiki.php.net/rfc/mysqli_quote_string > > > > Would you support such an addition? > > I agree with you and I prefer PDO::quote()'s behaviour over the "old" > non-pdo quote functions. > > However, I also think that manually interpolating parameters is not a > best practice that we should encourage: query parameters are the a much > better defence against SQL injections. > > Also I'm afraid that offering two alternatives would increase the > confusion, especially if this new function is added only to mysqli and > not other prominent database extensions. > > > Cheers > -- > Matteo
Hi Mateo, The new function isn't meant to encourage this practice. My RFC acknowledges that query parameters are the best, but unfortunately, manual escaping is a must for certain applications. What other extensions do you have in mind? PDO already has it, so does PostgreSQL with pg_escape_literal(). Every extension is different and they never have the exact same functions. In fact, what I am proposing is to bring mysqli in line with other extensions which already have it. The confusion it's going to cause is minimal. The behaviour is exactly the same as the old function, just that the quotation marks are added automatically. It's not rocket science. Regards, Kamil
