ID:          46202
 Updated by:  [EMAIL PROTECTED]
 Reported By: olafvdspek at gmail dot com
-Status:      Open
+Status:      Bogus
 Bug Type:    Feature/Change Request
 PHP Version: 5.2.6
 New Comment:

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

mysqli_prepare() already exists.


Previous Comments:
------------------------------------------------------------------------

[2008-09-30 09:26:54] olafvdspek at gmail dot com

Description:
------------
The standard mysql_query function is very prone to abuse. Could a
function be added that's safer? Like, for example:

mysql_query_safe("insert into T (A, B, C) values (?, ?, ?)", $a, $b,
$c);

The function would be a bit like sprintf, except it would automatically
call mysql_real_escape_string on all non-int arguments and enclose them
in single quotes. Safe types like int would not receive this treatment.

Reproduce code:
---------------
mysql_query("insert into T (A, B, C) values (?, ?, ?)", $a, $b, $c);

Expected result:
----------------
No SQL injection vulnerability

Actual result:
--------------
SQL injection vulnerability


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=46202&edit=1

Reply via email to