On Sat, 17 Jul 2021 at 08:59, Hans Henrik Bergan <divinit...@gmail.com> wrote:
> i can tell from only that diff that, at least as of 5.5.1, woocommerce is > not compatible with @@SQL_MODE=ANSI_QUOTES :p Yep, and I did that years ago - I preferred to use single quotes for strings in PHP (so variables stood out), and double quotes for SQL. Just for fun, `NO_BACKSLASH_ESCAPES` is a good way to mess with people (I believe the "real" escaping method can catch this, but I wouldn't trust it). When it comes to escaping in general, my favourite mistake is: $sql = 'WHERE id = ' . $mysqli->real_escape_string($_GET['id']); Where the assumed to be number hasn't been quoted at all :-) PDO::quote() does work a bit better (by adding the quotes itself), but I still prefer its documentation - noting how the quoted string is only "theoretically safe", and that "you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters". https://www.php.net/manual/en/pdo.quote.php Craig
