Edit report at https://bugs.php.net/bug.php?id=61004&edit=1
ID: 61004 Updated by: ras...@php.net Reported by: pazzo at bahnhof dot se Summary: Add mysql_safe_query Status: Wont fix Type: Feature/Change Request Package: MySQL related Operating System: Any PHP Version: Irrelevant Block user comment: N Private report: N New Comment: Note that this has been available in PHP since 2005, so it isn't exactly new. Previous Comments: ------------------------------------------------------------------------ [2012-02-10 16:58:11] ras...@php.net No, what you are describing is prepared statements which are fully supported in both MySQLi and PDO. So the new interfaces do exactly what you propose. See: http://www.php.net/manual/en/mysqli.prepare.php http://www.php.net/manual/en/pdo.prepare.php Both the ? placeholder style you proposed and the even safer named placeholder style are supported: eg. $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < ? AND colour = ?'); $sth->execute(array(150, 'red')); and $sql = 'SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour'; $sth = $dbh->prepare($sql); $sth->execute(array(':calories' => 150, ':colour' => 'red')); ------------------------------------------------------------------------ [2012-02-10 08:42:05] pazzo at bahnhof dot se Are you seriously telling me that PHP created a new MySQL interface without dealing with the bad design of the queries? ------------------------------------------------------------------------ [2012-02-09 00:29:35] ahar...@php.net ext/mysql is deprecated in PHP 5.4 (albeit without actual PHP warnings until PHP 5.5). Migrating to mysqli or PDO is strongly recommended at this time, and the legacy MySQL extension won't be receiving new features. ------------------------------------------------------------------------ [2012-02-08 21:59:43] phpmpan at mpan dot pl Since people rarely refresh their knowledge, even when they know it's old, those links may help realizing that for at least few years there are newer and more secure solutions than old mysql extension: - http://www.php.net/manual/en/book.pdo.php - http://www.php.net/manual/en/book.mysqli.php ------------------------------------------------------------------------ [2012-02-07 15:03:13] pazzo at bahnhof dot se Description: ------------ Since people are bad at securing their code, even when they know how, this function may give securer and more readable code: mysql_safe_query('UPDATE people SET (name, number) VALUES ? WHERE name = ? or ?` = ?', array('new name', 5553475), 'old name', 'custom field', 5); I've provided an example of how to solve this using php code. Test script: --------------- http://pastebin.com/8EcS9y1B ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=61004&edit=1
