How to escape sql injection from HANA placeholder

Question

I have some HANA queries which use PLACEHOLDER input and of course I want to prevent an sql injection.

I try to use ? in odbc_prepare()

Answer 1

The (old) placeholder syntax ('PLACEHOLDER'=('', '')) you're using here does not allow for bind variables.

Instead, the new placeholder syntax (PLACEHOLDER.""=>?) allows using bind variables.

In your code this would look like this:

$query = << ?)
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);