Hey Kamil, Matteo, I initially looked at the mail by Kamil, and thought this was about quoting, to which I told myself "fine, that's useful".
After reviewing the contents, plus Matteo's response, it is clear to me that this is another attempt at escaping aimed at string interpolation. I'd be opposed to that, even just for the fact that we're adding more tools to a toolbox that should instead point at prepared statements. Projects like PHPMyAdmin have vast experience in handling this sort of API, and they should just do it themselves. BTW, it would be interesting to show exactly (in the RFC text) why/where these projects can't use prepared statements. If you were to propose something about quoting (with the correct backtick syntax, perhaps even based on the current set SQL compatibility mode), then that could be marginally interesting. Greets, Marco Pivetta https://mastodon.social/@ocramius https://ocramius.github.io/ On Fri, 19 Dec 2025 at 14:52, Matteo Beccati <[email protected]> wrote: > Hi Kamil, > > > Il 18/12/2025 22:03, Kamil Tekiela ha scritto: > > Hello, > > > > I would like to open a discussion about adding a new function to PHP > > > > https://wiki.php.net/rfc/mysqli_quote_string > > > > Would you support such an addition? > > I agree with you and I prefer PDO::quote()'s behaviour over the "old" > non-pdo quote functions. > > However, I also think that manually interpolating parameters is not a > best practice that we should encourage: query parameters are the a much > better defence against SQL injections. > > Also I'm afraid that offering two alternatives would increase the > confusion, especially if this new function is added only to mysqli and > not other prominent database extensions. > > > Cheers > -- > Matteo >
