Automatic Escaping of SQL Parameters

Escaping of SQL parameters in PHP is an needlessly tedious and error-prone process. Calling the right escaping function for every parameter that might be dangerous is a difficult task in a big project. This is just dangerous and calls for SQL-Injection-Attacks.

It’s obvious we need a uniform query function that automatically does the escaping for us. Perl-style parameter binding seems to be just the right choice. You can write your query, insert placeholders in the form of :n and pass the parameters to our function. The function automatically detects the datatype of the parameter for us and escapes it if needed.

query( 
    'SELECT posts 
        FROM blog 
        WHERE 
            status = :2
            AND created = :1',
    POST_STATUS_ACTIVE,
    '2007-08-02'
);

Read complete post »