How to escape sql injection from HANA placeholder

Question

I have some HANA queries which use PLACEHOLDER input and of course I want to prevent an sql injection.

I try to use ? in odbc_prepare()

Answer 1

The (old) placeholder syntax ('PLACEHOLDER'=('<varname>', '<var value>')) you're using here does not allow for bind variables.

Instead, the new placeholder syntax (PLACEHOLDER."<varname>"=>?) allows using bind variables.

In your code this would look like this:

$query = <<<SQL
SELECT
    col,
    ...
FROM table_name (PLACEHOLDER."$$some_key$$" => ?)
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);