PHP :: Request #61004 :: Add mysql_safe

Request #61004	Add mysql_safe_query
Submitted:	2012-02-07 15:03 UTC	Modified:	2012-02-10 16:59 UTC
From:	pazzo at bahnhof dot se	Assigned:
Status:	Wont fix	Package:	MySQL related
PHP Version:	Irrelevant	OS:	Any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	pazzo at bahnhof dot se
New email:
PHP Version:		OS:

New Comment:

[2012-02-07 15:03 UTC] pazzo at bahnhof dot se

Description:
------------
Since people are bad at securing their code, even when they know how, this 
function may give securer and more readable code:

mysql_safe_query('UPDATE people SET (name, number) VALUES ? WHERE name = ? or ?` 
= ?',
     array('new name', 5553475), 'old name', 'custom field', 5);


I've provided an example of how to solve this using php code.

Test script:
---------------
http://pastebin.com/8EcS9y1B

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-02-08 21:59 UTC] phpmpan at mpan dot pl

Since people rarely refresh their knowledge, even when they know it's old, those links may help realizing that for at least few years there are newer and more secure solutions than old mysql extension:
- http://www.php.net/manual/en/book.pdo.php
- http://www.php.net/manual/en/book.mysqli.php

[2012-02-09 00:29 UTC] aharvey@php.net

-Status: Open +Status: Wont fix

[2012-02-09 00:29 UTC] aharvey@php.net

ext/mysql is deprecated in PHP 5.4 (albeit without actual PHP warnings until PHP 
5.5). Migrating to mysqli or PDO is strongly recommended at this time, and the 
legacy MySQL extension won't be receiving new features.

[2012-02-10 08:42 UTC] pazzo at bahnhof dot se

Are you seriously telling me that PHP created a new MySQL interface without 
dealing with the bad design of the queries?

[2012-02-10 16:58 UTC] rasmus@php.net

No, what you are describing is prepared statements which are fully supported in 
both MySQLi and PDO. So the new interfaces do exactly what you propose.

See:

http://www.php.net/manual/en/mysqli.prepare.php
http://www.php.net/manual/en/pdo.prepare.php

Both the ? placeholder style you proposed and the even safer named placeholder 
style are supported:

eg.

$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit WHERE calories < ? AND colour = ?');
$sth->execute(array(150, 'red'));

and

$sql = 'SELECT name, colour, calories
    FROM fruit WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql);
$sth->execute(array(':calories' => 150, ':colour' => 'red'));

[2012-02-10 16:59 UTC] rasmus@php.net

Note that this has been available in PHP since 2005, so it isn't exactly new.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 13:01:28 2025 UTC