Edit report at https://bugs.php.net/bug.php?id=46202&edit=1
ID: 46202 Comment by: olafvdspek at gmail dot com Reported by: olafvdspek at gmail dot com Summary: Avoid SQL injection by design Status: Bogus Type: Feature/Change Request Package: Feature/Change Request PHP Version: 5.2.6 Block user comment: N Private report: N New Comment: SQL injections are still happening today and in a lot of cases PHP is involved. In my opinion it'd not be so hard to implement this feature request. It'd make a lot of people happy! Could you reconsider? Previous Comments: ------------------------------------------------------------------------ [2008-09-30 10:19:04] olafvdspek at gmail dot com > Sorry, but your problem does not imply a bug in PHP itself. Guess why I used category: feature/change request. ;) I'm aware of mysqli_prepare, but it's not what I requested, although the syntax might look similar. mysqli_prepare is harder to use than mysql_query, instead of easier. That's no good... ------------------------------------------------------------------------ [2008-09-30 10:14:45] scott...@php.net Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. mysqli_prepare() already exists. ------------------------------------------------------------------------ [2008-09-30 09:26:54] olafvdspek at gmail dot com Description: ------------ The standard mysql_query function is very prone to abuse. Could a function be added that's safer? Like, for example: mysql_query_safe("insert into T (A, B, C) values (?, ?, ?)", $a, $b, $c); The function would be a bit like sprintf, except it would automatically call mysql_real_escape_string on all non-int arguments and enclose them in single quotes. Safe types like int would not receive this treatment. Reproduce code: --------------- mysql_query("insert into T (A, B, C) values (?, ?, ?)", $a, $b, $c); Expected result: ---------------- No SQL injection vulnerability Actual result: -------------- SQL injection vulnerability ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=46202&edit=1