Hector Martin

It's not an excuse but just in case you didn't know, I believe that particular php doc site is wiki-like, ie you/we could fix this

Or at least perhaps put a big red warning on it saying 'dont actaully do this' I suppose

I think it's made in case you need to use it for some random reason, but PDO is the way to go in a common scenario. Anyway, the use of a MVC framework is common nowadays and they give you tools to sanitize and filter data. It's still stupid.

But mysqli ***supports prepared statements***, they just aren't using them in the example!

I think the right thing to do with these functions is to slowly deprecate to opt-in. Start by putting warnings on all of these example pages and the doc pages for individual functions (http://php.net/manual/en/mysqli.query.php …); escalate to stdout warnings and eventually a disabled-by-default flag

It is not possible to fix SQLi via deprecation. You need to educate people not to concatenate SQL and data. They already deprecated mysql, which was the old module that *only* supported that. They're just teaching people to use mysqli the wrong way.

Except nobody in their right mind takes the examples on the php docs seriously. php.​net is to lookup function signatures, nothing else. Everything else is on http://phptherightway.com 

How are newbies supposed to know where to look? http://php.net  examples are what Google gets you. It's ridiculous that newbies have to learn to ignore the language's own site.