Check out part 1 to learn why you don’t actually need an escaping function.
So you want a function to escape or validate user-input that is going to be inserted into a MySQL query as a column or table name?
Skip to Part 2 if you just want a drop-in escaping function. Keep reading if you want to know why you don’t need one.
Thanks to widespread adoption of ORMs, it’s rare that I need to construct SQL queries in code. However, there’s at least a couple situations where the need still arises:
- I want to perform some kind of advanced query that’s not exposed via the ORM
- I’m working in a legacy codebase that does not offer an ORM