How to automatically escape strings in a PHP SQL query?

Question

Here's how I currently do it:

$db->query(sprintf('INSERT INTO pages (title, content) VALUES ("%s", "%s")',
    $db->esc($title),
    $db->esc($content)));

As you can see I'm manually escaping each string in the above query by passing each string to my $db->esc() method.

First let me indicate that I don't want to use prepared statements.

The best idea I can come up with is to have my $db->query() method wrap sprintf() and automatically call $db->esc() on each string conversion specification - like this:

$db->query('INSERT INTO pages (title, content) VALUES ("%s", "%s")',
    $title,
    $content);

That looks great to me, but now my question becomes how do I correctly parse out all the string conversion specifications from the format string and call $db->esc() on each respective argument(before passing that all to sprintf())?

Would you do it a different way?

Couldn't you just escape **all** input parameters? I assume this wouldn't break conform data (like numeric values etc.). — Lukas, May 08 '13 at 05:07

sectus · Accepted Answer · 2013-05-08T05:16:23.630

You should read about prepared statement.

Prepare: The statement template is created by the application and sent to the database management system (DBMS). Certain values are left unspecified, called parameters, placeholders or bind variables (labelled "?" below):

    `INSERT INTO PRODUCT (name, price) VALUES (?, ?)`

The DBMS parses, compiles, and performs query optimization on the statement template, and stores the result without executing it. Execute: At a later time, the application supplies (or binds) values for the parameters, and the DBMS executes the statement (possibly returning a result).

And it's implimentation in PHP: PDO, MySQLi, PostgreSQL and other. So, there is no reason to implement it by yourself. Just use it.

score 1 · Answer 2 · edited May 23 '17 at 10:32

First let me indicate that you want to use prepared statements.
The very automatic "escaping" (although it have to be called formatting) you are talking of, is what exactly prepared statements are for.
Prepared statement is not necessarily have to be based on a database-supported native prepared statement. The general idea of prepared statement is to represent some query part with placeholder and to apply some formatting when replacing a placeholder with actial data. So - your approach is already using placeholders AKA prepared statements.

But there are some important things you missed

whatever "escaping" can do nothing good. Proper formatting have to be applied instead
proper string formatting require either quoting and escaping, and thus your prepared statements handler ought to apply both.
there are more than one different SQL literals, each require different formatting. So, to meet the real life requirements, you can't rely on a single esc() function

So, here you go - the code for such a wrapper you're asking for , which does correct formatting, and thus you will have your queries no less secure than with PDO. Although with all the limitations which PDO has.

So, if you want to properly format everything, that may may be added to the query, you will need another wrapper, a more complex one: safeMysql

How to automatically escape strings in a PHP SQL query?

2 Answers2

Linked