Ian Hickson wrote:
I think not having quote will make people write their own, and every so
often fail at it. People that don't think about the possibility of
getting exploited aren't going to use neither '?' nor quote() so they
are hosed either way.
If we include examples for how to do this (embedding ? directly into the
query and adding the stuff to the array), will that work? It's easier to
do than quoting.
It does sound like a good idea to make all examples use the '?' syntax.
I still think that providing a quote() implementation would do more good
than harm, but admittedly I don't care that much. Especially given that
the worst that can happen is bugs and not security breaches.
/ Jonas
