On Thu, 18 Dec 2025 at 21:03, Kamil Tekiela <[email protected]> wrote: > > Hello, > > I would like to open a discussion about adding a new function to PHP > > https://wiki.php.net/rfc/mysqli_quote_string > > Would you support such an addition? > > Regards, > Kamil Tekiela
Hi All, Despite receiving some criticism, I would like to bring it to a vote still. If this method doesn't get added, then it means that this SQL injection vulnerability will never be patched. Sure, most users have probably switched to prepared statements and we should encourage others to do so, but as long as manual escaping exists, it should be reliable and not prone to hidden SQL injection. Matteo said: > I agree it's not rocket science to do add single quotes. Saying that we need to do that in core to avoid users "accidentally forgetting the quotation marks" seems a bit of an overstatement. If they had forgotten the quotes, most of the times the query would error out rather than silently working and allowing SQL-injection. I don't want people to focus on the wrong part of the RFC. It's not just about forgetting quotes. That is a problem the developer would introduce themselves and is usually easily noticeable. The trouble is when the user uses double quotes and thinks that everything is ok. The main reason for this RFC is to provide SQL-injection safe function for manual escaping of strings. The existing function leads users into a false sense of security, as even when the data is escaped and quoted in double quotes, it remains vulnerable to SQL injection. Putting a warning into the PHP manual is certainly a good idea, but we could provide a fixed function and help users even more. It paints PHP in a bad light when we ask users to add quotation marks manually around the return value of a function that should do it automatically, and then we put a warning in the PHP manual saying that while double quotes would work too, they are not SQL injection safe. Why can't PHP just provide a function that wraps it in the correct quotation marks instead? Regards, Kamil
