Database wrapper to escape properly, allowing meaningful queries with parametrized values
Install it through composer
with
composer require neoparla/dbescaper
To create an instance just initialize it with connection data.
$db_escaper = DbEscaper::init(
array(
'host' => 'host',
'user' => 'user',
'pass' => 'pass',
'schema' => 'schema',
// 'port' => 3306
)
);
By default it will connect through port 3306.
To run a basic query, just DbEscaper::query
.
$db_escaper->query('show tables');
To avouid unwanted queries to be executed (aka SQLInjection) use DbEscaper::prepare()
.
$statement = $db_escaper->prepare($sql, $query_label);
You can bind following types of data.
- Double No transform
- Integer No transform
- String
- Field
- Tuple
It'll escape strings (such as quotes) and wrapp it with quotes
$value = "string with quotes (') and slashes (\)";
DbStatement->bindParam(':binding', $value, Binding::String);
// Real query: 'string with quotes (\') and slashes (\\)'
It'll ensure valid MySQL field name and wrap it with backtips
$value = "field_name";
DbStatement->bindParam(':binding', $value, Binding::Field);
// Real query: `field_name`
It'll ensure all values are valid and will transform them if needed.
$value = new DbTuple(Binding::PARAM_STRING, array('string 1', 'string 2'), DbTuple::WITH_PARENTHESIS);;
DbStatement->bindParam(':binding', $value, Binding::Tuple);
// Real query: ( 'string 1', 'string 2' )
To bind tuples you must use DbTuple
class.
These kind of bindings won't perform any transformation. It'll just check correct data type.