Hi,
Could htmlspecialchars() use ENT_QUOTES by default?
I recently worked on an example script, where I tried to keep it simple by
using htmlspecialchars directly, e.g.
echo "";
I'd completely forgotten that single quotes are not escaped by default,
creating a XSS vulnerability, e.g.
$
Hi,
Could the mysqli extension be tweaked to make parameterised queries easier?
I've started an RFC at:
https://wiki.php.net/rfc/mysqli_execute_parameters
I'm going on the basis that some developers use mysqli directly, often
because they want a small stand-alone script that has no dependencies
FWIW i'm surprised with the lack of ENT_DISALLOWED , personally i use
tohtml(string $str):string{ return htmlentities($str, ENT_QUOTES |
ENT_HTML401 | ENT_SUBSTITUTE | ENT_DISALLOWED, 'UTF-8', true);}
On Sat, 26 Dec 2020 at 12:03, Craig Francis
wrote:
> Hi,
>
> Could htmlspecialchars() use ENT_Q
Hi Craig,
This is a great proposal, and I am delighted that someone is still
interested in mysqli and wants to improve it. I will discuss the
proposal below, but first some notes about the RFC itself:
1. mysqli_execute() is not deprecated despite what the PHP manual said
for the past 14 years. It
>
> I want to re-iterate my opinion on this discussion thread: anything
> with a prefix is a hard-no from me. Namespaces are literally designed
> for this, and I will not vote "yes" to `iter_all`, `iterable_all`,
> etc, no matter what the prefix is. Anything without a namespace is a
> no from me.
>
Hi Kamil,
Thank you for your initial thoughts, adding the syntax highlighting, and
the suggestion to use the splat operator, it's really appreciated.
Good to know about mysqli_execute() not actually being deprecated, I'll try
to think of a different name, maybe mysql::run(), to keep it short
(sug
Hi Aran,
I'll need someone else to comment, but I don't think the underlying MySQL
libraries support named parameters, so that would be a bigger change (and
probably should be under its own RFC).
Maybe one day, but for now, I'd simply use PDO, which has its own qwerks
(like emulated prepared stat
