If you are allowing users to enter entire queries just to SELECT
, don't. This would be a security nightmare.
Instead, use PDO's prepares and allow users to do advanced searching; to do otherwise would require an AI's level of sanitizing, and if you were doing that, you wouldn't be asking this question.
Instead, ask yourself what logic you need for record searching. Do you need to search multiple fields? If you need joins, you can implicitly (and automatically) join the tables together when you fetch records.
You can also use parameters for LIMIT
, pagination, and all manner of things in a form
The basic point is this: if a user can write an SQL query, you might as well just give them a login to your SQL console and ignore all sanitizing. Sanitizing input when a user is writing their own query would be rather strange, and could result in the query not even running.