I have a function that takes an array and creates a SQL statement based on they key/value pairs of the array. For example:
name=>SomeKittens
It'd turn into
(`name`) VALUES ('SomeKittens')
The only problem is when I use a MySQL string function such as NOW().
creation_date=>NOW()
turns into
(`creation_date`) VALUES ('NOW()')
Note that NOW() is escaped. Is there any way to detect if the value is a MySQL string function? (besides of course $value === "NOW()")
I'm using the Joomla DBO but am open to PDO/MySQLi solutions as well.
If you allow functions with arguments I don't think you will be able to protect your db against SQL injections.
If you allow only functions w/o arguments (like NOW()) you might as well hardcode a list.