On Fri, 19 Dec 2025 at 15:26, Kamil Tekiela <[email protected]> wrote:
> On Fri, 19 Dec 2025 at 13:52, Matteo Beccati <[email protected]> wrote: > > > > Hi Kamil, > > > > > > Il 18/12/2025 22:03, Kamil Tekiela ha scritto: > > > Hello, > > > > > > I would like to open a discussion about adding a new function to PHP > > > > > > https://wiki.php.net/rfc/mysqli_quote_string > > > > > > Would you support such an addition? > > > > I agree with you and I prefer PDO::quote()'s behaviour over the "old" > > non-pdo quote functions. > > > > However, I also think that manually interpolating parameters is not a > > best practice that we should encourage: query parameters are the a much > > better defence against SQL injections. > > > > Also I'm afraid that offering two alternatives would increase the > > confusion, especially if this new function is added only to mysqli and > > not other prominent database extensions. > > > > > > Cheers > > -- > > Matteo > > Hi Mateo, > > The new function isn't meant to encourage this practice. My RFC > acknowledges that query parameters are the best, but unfortunately, > manual escaping is a must for certain applications. > > What other extensions do you have in mind? PDO already has it, so does > PostgreSQL with pg_escape_literal(). Every extension is different and > they never have the exact same functions. In fact, what I am proposing > is to bring mysqli in line with other extensions which already have > it. > > The confusion it's going to cause is minimal. The behaviour is exactly > the same as the old function, just that the quotation marks are added > automatically. It's not rocket science. > > Regards, > Kamil > btw pg_escape_literal is mis-named. it does not escape - it quotes. And there is an important difference between escaping and quoting, at least for SQLite, it is impossible to make a binary-safe escape() function, but it's fully possible to make a binary-safe quote() function (see https://github.com/php/php-src/pull/13972 ) IMO pg_escape_literal should be renamed pg_quote_literal.
