Database wrapper to escape properly, allowing meaningful queries with parametrized values

Install it through composer with

composer require neoparla/dbescaper

To create an instance just initialize it with connection data.

$db_escaper = DbEscaper::init(
    array(
        'host' => 'host',
        'user'  => 'user',
        'pass'  => 'pass',
        'schema'    => 'schema',
        // 'port' => 3306
    )
);

By default it will connect through port 3306.

To run a basic query, just DbEscaper::query.

$db_escaper->query('show tables');

To avouid unwanted queries to be executed (aka SQLInjection) use DbEscaper::prepare().

$statement = $db_escaper->prepare($sql, $query_label);

You can bind following types of data.

• Double No transform
• Integer No transform
• String
• Field
• Tuple

It'll escape strings (such as quotes) and wrapp it with quotes

$value = "string with quotes (') and slashes (\)";
DbStatement->bindParam(':binding', $value, Binding::String);
// Real query: 'string with quotes (\') and slashes (\\)'

It'll ensure valid MySQL field name and wrap it with backtips

$value = "field_name";
DbStatement->bindParam(':binding', $value, Binding::Field);
// Real query: `field_name`

It'll ensure all values are valid and will transform them if needed.

$value = new DbTuple(Binding::PARAM_STRING, array('string 1', 'string 2'), DbTuple::WITH_PARENTHESIS);;
DbStatement->bindParam(':binding', $value, Binding::Tuple);
// Real query: ( 'string 1', 'string 2' )

To bind tuples you must use DbTuple class.

These kind of bindings won't perform any transformation. It'll just check correct data type.