undefined | Better HN

0 pointswbl1y ago0 comments

T_PAAMAYIM_NEKUDOTIM, mysql_real_es ape2, parse_str, etc.

0 comments

6 comments · 1 top-level

duskwuff1y ago· 5 in thread

> mysql_real_escape2

Blame MySQL for that name, not PHP.

https://dev.mysql.com/doc/c-api/8.4/en/mysql-real-escape-str...

(And, if you're doing modern PHP, it's just PDO->quote().)

munk-a1y ago

I'm not certain about OP's objection but for me it's less the function name and more the terrible history of how PHP tried to automatically fix SQL injection and instead made everything a thousand times worse. If you're not using bound parameters for user data you're taking a huge risk and making your life multitudes more difficult. PHP's PDO is by far the better option at this point but it suffers from poor enough usability that I've built my own wrapper for it at two different companies.

hparadiz1y ago

Writing a wrapper for PDO is standard operating procedure for various good reasons.

Dylan168071y ago

> the terrible history of how PHP tried to automatically fix SQL injection and instead made everything a thousand times worse

Are you thinking of stuff like magic quotes? mysql_real_escape is not part of an automatic anything. You manually use it to quote each value.

wblOP1y ago

Why should I blame MySQL? It's the PHP developers that decided to introduce it and not change the name, plus have several functions that don't do the right thing as well.

cess111y ago

This hasn't been an issue for like fifteen years or whatever.

In hindsight I think it's a good thing, it's a pea that keeps princesses at a distance from the language.

j / k navigate · click thread line to collapse