How to escape sql injection from HANA placeholder

Question

I have some HANA queries which use PLACEHOLDER input and of course I want to prevent an sql injection.

I try to use ? in odbc_prepare()

$query = <<<SQL
SELECT
    col,
    ...
FROM table_name('PLACEHOLDER'=('$$some_key$$', ?))
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);

if ($stmt !== false) {
    \odbc_execute($stmt, ['placeholder_value', 'where_value']);
}

but I receive this warning:

Warning: odbc_prepare(): SQL error: [SAP AG][LIBODBCHDB SO][HDBODBC] Syntax error or access violation;257 sql syntax error: incorrect syntax near "?": line 32 col 40 (at pos 1283), SQL state 37000 in SQLPrepare

and statement wasn't created. So my code now looks like this:

$query = <<<SQL
SELECT
    col,
    ...
FROM table_name('PLACEHOLDER'=('$$some_key$$', 'placeholder_value'))
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);

if ($stmt !== false) {
    \odbc_execute($stmt, ['where_value']);
}

As I see here htmlspecialchars() is not enough to prevent an SQL injection.

I can't remove input placeholder, I don't own HANA.

Is there any other way to prevent SQL injection in PLACEHOLDER?

Answer 1

The (old) placeholder syntax ('PLACEHOLDER'=('<varname>', '<var value>')) you're using here does not allow for bind variables.

Instead, the new placeholder syntax (PLACEHOLDER."<varname>"=>?) allows using bind variables.

In your code this would look like this:

$query = <<<SQL
SELECT
    col,
    ...
FROM table_name (PLACEHOLDER."$$some_key$$" => ?)
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);