PHP :: Request #46202 :: Avoid SQL injection by design

Avoid SQL injection by design

Submitted:

2008-09-30 09:26 UTC

Modified:

2011-07-07 03:32 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

olafvdspek at gmail dot com

Assigned:

Status:

Not a bug

Package:

*General Issues

PHP Version:

5.2.6

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	olafvdspek at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2008-09-30 09:26 UTC] olafvdspek at gmail dot com

Description:
------------
The standard mysql_query function is very prone to abuse. Could a function be added that's safer? Like, for example:

mysql_query_safe("insert into T (A, B, C) values (?, ?, ?)", $a, $b, $c);

The function would be a bit like sprintf, except it would automatically call mysql_real_escape_string on all non-int arguments and enclose them in single quotes. Safe types like int would not receive this treatment.

Reproduce code:
---------------
mysql_query("insert into T (A, B, C) values (?, ?, ?)", $a, $b, $c);

Expected result:
----------------
No SQL injection vulnerability

Actual result:
--------------
SQL injection vulnerability

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-09-30 10:14 UTC] scottmac@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

mysqli_prepare() already exists.

[2008-09-30 10:19 UTC] olafvdspek at gmail dot com

> Sorry, but your problem does not imply a bug in PHP itself. 

Guess why I used category: feature/change request. ;)

I'm aware of mysqli_prepare, but it's not what I requested, although the syntax might look similar.

mysqli_prepare is harder to use than mysql_query, instead of easier. That's no good...

[2011-07-06 07:24 UTC] olafvdspek at gmail dot com

SQL injections are still happening today and in a lot of cases PHP is involved. In 
my opinion it'd not be so hard to implement this feature request. It'd make a lot 
of people happy!
Could you reconsider?

[2011-07-07 03:32 UTC] aharvey@php.net

-Package: Feature/Change Request +Package: *General Issues

[2011-07-07 03:32 UTC] aharvey@php.net

Given the existence of both PDO and mysqli, I don't think anything Scott said 
three years ago has changed.

[2011-07-07 04:31 UTC] olafvdspek at gmail dot com

So mysql_query() is deprecated?
The mysql_query() page doesn't mention mysqli or PDO at all, wouldn't it be good 
to mention those if those are indeed the recommended way?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Nov 07 02:00:01 2025 UTC