[PHP-DEV] Re: MySQLi Execute Query RFC
On Thu, 21 Apr 2022 at 15:04, Craig Francis wrote: > On Wed, 6 Apr 2022 at 17:38, Craig Francis > wrote: > >> Kamil has been working on a proof of concept for a >> `mysqli_execute_query($sql, $params)` function, and I've written up a draft >> RFC for it: >> >> https://wiki.php.net/rfc/mysqli_execute_query >> >> It's continuing the work Kamil has done with the "mysqli bind in execute" >> RFC [1], to make parameterised MySQLi queries even easier, by creating a >> single function that takes the SQL and Parameters and >> returns mysqli_result|false. >> >> While this can be implemented in userland, the focus is on trying to make >> parameterised queries as easy as possible, so developers are less less >> likely to use risky escaping. >> > > Just officially Introducing and putting this RFC in the "Under Discussion" > phase. > And step 6... a one day heads up before this is moved to the Voting status, where there are currently no Open Questions/Issues. Thanks, Craig
Re: [PHP-DEV] Re: MySQLi Execute Query RFC
Hi Craig, > https://wiki.php.net/rfc/mysqli_execute_query > Thanks. Maybe add (or even start with) an example of mysqli_query(), to show how "migrating to safer" would become easier? retro-fitting your example of parameterised query: ``` $sql_format = "SELECT * FROM user WHERE name LIKE %s AND type IN (%s, %s)"; /* ... */ $sql_raw = vsprintf($sql_format, array_map(fn ($s) => "'" . $db->real_escape_string($s) . "'", [$name, $type1, $type2])); foreach ($db->query($sql_raw) as $row) { print_r($row); } ``` Regards, -- Guilliam Xavier
[PHP-DEV] Re: MySQLi Execute Query RFC
On Wed, 6 Apr 2022 at 17:38, Craig Francis wrote: > Kamil has been working on a proof of concept for a > `mysqli_execute_query($sql, $params)` function, and I've written up a draft > RFC for it: > > https://wiki.php.net/rfc/mysqli_execute_query > > It's continuing the work Kamil has done with the "mysqli bind in execute" > RFC [1], to make parameterised MySQLi queries even easier, by creating a > single function that takes the SQL and Parameters and > returns mysqli_result|false. > > While this can be implemented in userland, the focus is on trying to make > parameterised queries as easy as possible, so developers are less less > likely to use risky escaping. > Just officially Introducing and putting this RFC in the "Under Discussion" phase. Craig