Implement mysqli::quote_string method

Author: kamil-tekiela

ext/mysqli/mysqli.stub.php

@@ -906,6 +906,11 @@ public function real_connect(
      */
     public function real_escape_string(string $string): string {}
 
+    /**
+     * @alias mysqli_quote_string
+     */
+    public function quote_string(string $string): string {}
+
     /**
      * @tentative-return-type
      * @alias mysqli_reap_async_query
@@ -1547,6 +1552,8 @@ function mysqli_real_escape_string(mysqli $mysql, string $string): string {}
 /** @alias mysqli_real_escape_string */
 function mysqli_escape_string(mysqli $mysql, string $string): string {}
 
+function mysqli_quote_string(mysqli $mysql, string $string): string {}
+
 function mysqli_real_query(mysqli $mysql, string $query): bool {}
 
 /** @refcount 1 */

ext/mysqli/mysqli_api.c

@@ -1363,6 +1363,29 @@ PHP_FUNCTION(mysqli_real_escape_string) {
 	RETURN_NEW_STR(newstr);
 }
 
+PHP_FUNCTION(mysqli_quote_string) {
+	MY_MYSQL	*mysql;
+	zval		*mysql_link = NULL;
+	char		*escapestr;
+	size_t		escapestr_len;
+	zend_string *newstr;
+
+	if (zend_parse_method_parameters(ZEND_NUM_ARGS(), getThis(), "Os", &mysql_link, mysqli_link_class_entry, &escapestr, &escapestr_len) == FAILURE) {
+		RETURN_THROWS();
+	}
+	MYSQLI_FETCH_RESOURCE_CONN(mysql, mysql_link, MYSQLI_STATUS_VALID);
+
+	newstr = zend_string_safe_alloc(2, escapestr_len+1, 0, 0);
+	ZSTR_VAL(newstr)[0] = '\'';
+	ZSTR_LEN(newstr) = 1 +  mysql_real_escape_string(mysql->mysql, ZSTR_VAL(newstr) + 1, escapestr, escapestr_len);
+	ZSTR_VAL(newstr)[ZSTR_LEN(newstr)] = '\'';
+	ZSTR_LEN(newstr) += 1;
+	ZSTR_VAL(newstr)[ZSTR_LEN(newstr)] = '\0';
+	newstr = zend_string_truncate(newstr, ZSTR_LEN(newstr), 0);
+
+	RETURN_NEW_STR(newstr);
+}
+
 /* {{{ Undo actions from current transaction */
 PHP_FUNCTION(mysqli_rollback)
 {

ext/mysqli/mysqli_arginfo.h

@@ -43,6 +43,7 @@ require_once 'skipifconnectfailure.inc';
         'ping'					=> true,
         'prepare'				=> true,
         'query'					=> true,
+        'quote_string'			=> true,
         'real_connect'			=> true,
         'real_escape_string'	=> true,
         'real_query'			=> true,

ext/mysqli/tests/mysqli_class_mysqli_interface.phpt

@@ -0,0 +1,83 @@
+--TEST--
+mysqli_quote_string()
+--EXTENSIONS--
+mysqli
+--SKIPIF--
+<?php
+require_once 'skipifconnectfailure.inc';
+?>
+--FILE--
+<?php
+
+require_once 'connect.inc';
+mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+
+echo mysqli_quote_string($link, '\\') . "\n";
+echo mysqli_quote_string($link, '"') . "\n";
+echo mysqli_quote_string($link, "'") . "\n";
+
+$escaped = mysqli_quote_string($link, "\' \ \"");
+echo $escaped . "\n";
+$result = $link->query("SELECT $escaped AS test");
+$value = $result->fetch_column();
+echo $value . "\n";
+
+$escaped = mysqli_quote_string($link, '" OR 1=1 -- foo');
+echo $escaped . "\n";
+$result = $link->query("SELECT $escaped AS test");
+$value = $result->fetch_column();
+echo $value . "\n";
+
+$escaped = mysqli_quote_string($link, "\n");
+if ($escaped !== "'\\n'") {
+    printf("[001] Expected '\\n', got %s\n", $escaped);
+}
+
+$escaped =  mysqli_quote_string($link, "\r");
+if ($escaped !== "'\\r'") {
+    printf("[002] Expected '\\r', got %s\n", $escaped);
+}
+
+$escaped =  mysqli_quote_string($link, "foo" . chr(0) . "bar");
+if ($escaped !== "'foo\\0bar'") {
+    printf("[003] Expected 'foo\\0bar', got %s\n", $escaped);
+}
+
+// Test that the SQL injection is impossible with NO_BACKSLASH_ESCAPES mode
+$link->query('SET @@sql_mode="NO_BACKSLASH_ESCAPES"');
+
+echo $link->quote_string('\\') . "\n";
+echo $link->quote_string('"') . "\n";
+echo $link->quote_string("'") . "\n";
+
+$escaped = $link->quote_string("\' \ \"");
+echo $escaped . "\n";
+$result = $link->query("SELECT $escaped AS test");
+$value = $result->fetch_column();
+echo $value . "\n";
+
+$escaped = $link->quote_string('" OR 1=1 -- foo');
+echo $escaped . "\n";
+$result = $link->query("SELECT $escaped AS test");
+$value = $result->fetch_column();
+echo $value . "\n";
+
+echo "done!";
+?>
+--EXPECT--
+'\\'
+'\"'
+'\''
+'\\\' \\ \"'
+\' \ "
+'\" OR 1=1 -- foo'
+" OR 1=1 -- foo
+'\'
+'"'
+''''
+'\'' \ "'
+\' \ "
+'" OR 1=1 -- foo'
+" OR 1=1 -- foo
+done!