Find if a string is a MySQL function in PHP

Question

Find if a string is a MySQL function in PHP

I have a function that takes an array and creates an SQL statement based on the key / value pairs of the array. For instance:

name=>SomeKittens

He will turn into

 (`name`) VALUES ('SomeKittens')

The only problem is that I am using a MySQL string function such as NOW() .

 creation_date=>NOW()

turns into

 (`creation_date`) VALUES ('NOW()')

Note that NOW() escaped. Is there a way to determine if a value is a MySQL string function? (except, of course, $value === "NOW()" )

I use Joomla DBO, but I am also open to PDO / MySQLi solutions.

( chat discussion )

+4

php joomla mysql joomla-dbo

Somekittens Jul 24 '12 at 18:53

source share

2 answers

You may just want to define a constant, such as MYSQL_NOW, that when you create a query that, as you know, is converted to a call to the NOW () function, and not to the string "NOW ()".

+1

Mike brant Jul 24 '12 at 18:57

source share

Vatev · Accepted Answer · 2012-07-24T19:00:17+0000

If you allow functions with arguments, I don’t think you can protect your db from SQL injections.
If you only allow functions with no arguments (e.g. NOW ()), you can also copy the list.

Find if a string is a MySQL function in PHP

More articles: