|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #77531 MySQLi example code promotes bad security practice
Submitted: 2019-01-27 22:48 UTC Modified: 2019-01-28 12:50 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: marcus dot watson at loumiaconsulting dot com Assigned:
Status: Open Package: MySQLi related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: marcus dot watson at loumiaconsulting dot com
New email:
PHP Version: OS:


 [2019-01-27 22:48 UTC] marcus dot watson at loumiaconsulting dot com
From manual page:

If this is to be a basic example of database handling and you do not want to use parameterization or promote security for the sake of brevity, I suggest using an approach that does not include string concatenation.

The current example is a bad habit to promote to developers. Developers unaware of SQL injection will focus on the "$result = $mysqli->query($sql)" part and omit any validation that has been performed previously. Typical InfoSec best practice dictates implementing parameterization first, *then* validation.

Suggested alternative: Use a hard coded query to return a status (eg total number of actors/movies in the database, or who is the customer with the largest number of fines).

Leave the dynamic queries for another example altogether, where the correct approach can be demonstrated, and cross-referenced from this page if dynamic queries are required.

This approach would demonstrate static queries with single/multiple rows. The more complex example would include dynamic queries with single/multiple rows, thus covering the main scenarios that teams would encounter.

I'm happy to collaborate with the assignee to formulate the code.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-28 12:50 UTC]
-Summary: MySQLi example code promotes security bad practice +Summary: MySQLi example code promotes bad security practice -Package: Documentation problem +Package: MySQLi related
 [2019-01-28 12:50 UTC]
Hello Marcus,

First of all, thank you for pointing this out and be willing to collaborate.

The best way to proceed would be for you to edit the documentation with the help of the online doc editor located at (or use the direct link from the manual to edit this specific page

After having edited the corresponding XML file, submit a patch via the editor and optionally submit the patch to this bug report.
So that a member of the doc team can review it and accept it.

Best regards.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Dec 02 01:01:24 2020 UTC