Description: ------------ With mysqli driver quote() does not work as expected. Of course this function is deprecated but there should be at least an exception when using quote with mysqli as this could be a mayor security flaw. Test script: --------------- Suggestion: Add the quote method of mysql.php to mysqli.php too: // }}} // {{{ quote() /** * @deprecated Deprecated in release 1.6.0 */ function quote($str) { return $this->quoteSmart($str); } Test for verifying functionality $sql = "`identifier` = ".$db->quote('1234\\') var_dump($sql); Expected result: ---------------- string(23) "`identifier` = '1234\\'" Actual result: -------------- string(22) "`identifier` = '1234\'"

mysql::quote() calls DB_common::quoteSmart() which calls mysql::escapeSimple() which calls PHP's mysql_real_escape_string() if that exists or mysql_escape_string(). If there's a problem, it's with PHP.

Thanks Daniel! There was a fix in version 1.8.0 as there was a quote function added for mysqli and the one of db_common was used before. IMHO this was a security flaw in versions before version 1.8.0.

I just released 1.8.1 which passes all quote() and quoteString() calls through quoteSmart().