I have some HANA queries which use PLACEHOLDER input and of course I want to prevent an sql injection.
I try to use ? in odbc_prepare()
$query = <<<SQL
SELECT
col,
...
FROM table_name('PLACEHOLDER'=('$$some_key$$', ?))
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);
if ($stmt !== false) {
\odbc_execute($stmt, ['placeholder_value', 'where_value']);
}
but I receive this warning:
Warning: odbc_prepare(): SQL error: [SAP AG][LIBODBCHDB SO][HDBODBC] Syntax error or access violation;257 sql syntax error: incorrect syntax near "?": line 32 col 40 (at pos 1283), SQL state 37000 in SQLPrepare
and statement wasn't created. So my code now looks like this:
$query = <<<SQL
SELECT
col,
...
FROM table_name('PLACEHOLDER'=('$$some_key$$', 'placeholder_value'))
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);
if ($stmt !== false) {
\odbc_execute($stmt, ['where_value']);
}
As I see here htmlspecialchars() is not enough to prevent an SQL injection.
I can't remove input placeholder, I don't own HANA.
Is there any other way to prevent SQL injection in PLACEHOLDER?
The (old) placeholder syntax ('PLACEHOLDER'=('<varname>', '<var value>')) you're using here does not allow for bind variables.
Instead, the new placeholder syntax (PLACEHOLDER."<varname>"=>?) allows using bind variables.
In your code this would look like this:
$query = <<<SQL
SELECT
col,
...
FROM table_name (PLACEHOLDER."$$some_key$$" => ?)
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);