Hi, Il 19/12/2025 15:23, Kamil Tekiela ha scritto:
The new function isn't meant to encourage this practice. My RFC acknowledges that query parameters are the best, but unfortunately, manual escaping is a must for certain applications.
Such application are certainly capable of adding single quotes? I don't think we really need to spoon-feed them with a brand new function after 25+ years everybody and their dog has been using real_escape_string().
What other extensions do you have in mind? PDO already has it, so does PostgreSQL with pg_escape_literal(). Every extension is different and they never have the exact same functions. In fact, what I am proposing is to bring mysqli in line with other extensions which already have it.
Apologies, I was referring to pg_escape_string(), which I had used back in the days. I didn't recall pg_escape_literal + identifier: they have been added 14 years ago and they are using the underlying libpq PQEscapeLiteral and PQEscapeIdentifier functionality to offer even better / safer escaping.
Also ext/sqlite3 offers a non-binary safe escape function without quotes.
The confusion it's going to cause is minimal. The behaviour is exactly the same as the old function, just that the quotation marks are added automatically. It's not rocket science.
I agree it's not rocket science to do add **single quotes**. Saying that we need to do that in core to avoid users "accidentally forgetting the quotation marks" seems a bit of an overstatement. If they had forgotten the quotes, most of the times the query would error out rather than silently working and allowing SQL-injection.
As for single quotes vs other quote flavours, I reckon it should be documentation material, perhaps with a big yellow box like we do for charsets.
Cheers -- Matteo
