SQL injection with custom placeholder

Permanently deleted user

Created September 12, 2013 10:52

Hello,

is it possible to set custom placeholders in SQL statements. I've for example the following MySQL string inside a php file:

SELECT * FROM mytable WHERE ID=%d;

But PhpStorm throws a syntax error at "%d". How can I disable this error message?

Thanks for help.

2 comments

Andriy Bazanov

Created September 12, 2013 11:57

Hi there,

is it possible to set custom placeholders in SQL statements.

No. http://youtrack.jetbrains.com/issue/WI-3672 (about actually custom, something like __MY_VAR__ : http://youtrack.jetbrains.com/issue/WI-16020 )

But PhpStorm throws a syntax error at "%d".

The error message is correct -- from SQL point of view (inspection is run by Database support module) this is NOT valid SQL code.

You can use "Keywords only" dialect instead of specific SQL dialect -- this will prevent SQL inspections from running leaving only generic syntax highlighting ( http://youtrack.jetbrains.com/issue/WI-16020#comment=27-433714 )

P.S.
If possible -- instead of building exact SQL query in this way -- you should try prepared statements. Such statement can be written like this:

SELECT * FROM mytable WHERE ID=:id;
or
SELECT * FROM mytable WHERE ID=?;

The named parameter (:id) or not-named paremeter (?) will then be properly replaced by DB engine itself before executing it.

Permanently deleted user

Created September 12, 2013 12:13

Thanks. I'll try prepared statements. This looks like the best solution for me.

Please sign in to leave a comment.