"Create PHP code" creates broken code and encourages SQL injection

[kamil-tekiela]

Describe the bug

There exists a button that enables the user to convert an SQL query into a PHP variable. When you click "Create PHP code" a box will show up with PHP code containing a single variable called $sql which has a value assigned of the SQL being executed earlier.

To Reproduce

Steps to reproduce the behavior:

1. Go to browse table
2. Add a WHERE 'asd' = 'foo' clause
3. Click on "Create PHP code"
4. See broken code

Expected behavior

There should exist no such button. Creation of PHP code should be the responsibility of the PHP developer who will take care of proper parameterization and proper PHP/SQL syntax. The only benefit this button provides is the automatic addslashes which actually creates invalid SQL.

SELECT * FROM `sequence` WHERE \'asd\' = \'foo\';

This button promotes insecure PHP coding practices as inexperienced users may use this to create hardcoded queries and later replace the constant value with interpolated PHP variable creating SQL injection.

I suggest that this feature be removed from PMA in the next major version.

[williamdes]

We should switch to pdo for examples