On 20 Dec 2025, at 07:49, Matteo Beccati <[email protected]> wrote:
> [...] Saying that we need to do that in core to avoid users "accidentally
> forgetting the quotation marks" seems a bit of an overstatement. If they had
> forgotten the quotes, most of the times the query would error out rather than
> silently working and allowing SQL-injection.
I wish most of the time it would error... exhibit A, found a couple of weeks
ago.
$db->query('SELECT name FROM user WHERE id = ' .
$db->real_escape_string($_GET['id']));
Just as an aside, Kamil, I like your proposal; while I hope that one day
parameterised queries are used by everyone, we still live in a world where
developers escape values themselves, and your proposal would reduce the chance
of them making mistakes.
Craig
