On Wed, 2015-04-01 at 20:27 +0200, Marc Bennewitz wrote: > > https://bugs.php.net/bug.php?id=69348 - breaks MySQL > -> It's a bug and should be fixed (non locale based functionality) > -> Couldn't this one be a security issue
No this is not a bug in this function and no not a security issue. The user asks to escape a string and provides a double. The double is therefore converted to a string according to PHP's rules and then correctly escaped. Now PHP's rules are a bit unfortunate and might lead to wrong data being stored. From MySQL perspective the correct usage is not to escape numeric types. Those can be put in the query directly. (Code like $d = (double)$foo; $sql = "SELECT * FROM t WHERE d=$d"; is safe.) or maybe better use prepared statements. Also mind: Locale not only has impact on number->string conversion but also different string operations like uppercase/lowercase conversion: (see Turkish i->I->y) Revising locale might be a good idea, however not by removing a function but by finding a way to make the behavior more explicit to the user. Removing the function will cause trouble when interacting with external libraries and programs which are locale dependent. johannes -- ORACLE Deutschland B.V. & Co. KG | Riesstraße 25 | 80992 München Registergericht: Amtsgericht München, HRA 95603 Komplementärin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
