4

I have a function that takes an array and creates a SQL statement based on they key/value pairs of the array. For example:

 name=>SomeKittens

It'd turn into

(`name`) VALUES ('SomeKittens')

The only problem is when I use a MySQL string function such as NOW().

creation_date=>NOW()

turns into

(`creation_date`) VALUES ('NOW()')

Note that NOW() is escaped. Is there any way to detect if the value is a MySQL string function? (besides of course $value === "NOW()")

I'm using the Joomla DBO but am open to PDO/MySQLi solutions as well.

(relevant chat discussion)

Community
  • 1
  • 1
SomeKittens
  • 38,868
  • 19
  • 114
  • 143
  • `NOW()` isn't escaped, but it is a literal string. – PeeHaa Jul 24 '12 at 18:55
  • 4
    How do you distinguish between `NOW()` intended to be a function, and `NOW()` intended to be a hard-coded 5-character literal string? You may need to manually provide more metadata in your key/value pairs to indicate how to interpret the value, e.g., `name=>STRING:SomeKittens` and `creation_date=>FUNC:NOW()` – mellamokb Jul 24 '12 at 18:55

2 Answers2

4

If you allow functions with arguments I don't think you will be able to protect your db against SQL injections.
If you allow only functions w/o arguments (like NOW()) you might as well hardcode a list.

Vatev
  • 7,493
  • 1
  • 32
  • 39
1

You may simply want to define a constant like MYSQL_NOW that when creating your query you know to convert to a NOW() function call rather than 'NOW()' string.

Mike Brant
  • 70,514
  • 10
  • 99
  • 103