protecting against injection in an advanced MySQL stored procedure statement in PHP

Question

I am using an XML string passed into a stored procedure to store data into my database.

In general, I use PDO to create prepared statements to avoid SQL injection via bindParam() and bindValue(), then execute(). However, in order to optimize my database, I have decided to implement a stored procedure that takes in a large set of XML data and does all of the writing at once.

The stored procedure will use an iterator to go through the XML and insert rows into the database.

Using ExtractValue which uses XPath notation, I can do something like this:

CREATE DEFINER=`$DBU`@`%` PROCEDURE `write_comment_rows`(In xml_string text) 
BEGIN
    insert into my_table (comment) values (
        ExtractValue(xml_string, 'user_data/comment_field') 
    );
END;

How can I make sure the data in my XML stored in comment_field is safe to put into my database?

Answer 1

I see no optimization in this approach. A PHP-based parsing, followed by a series of prepared inserts wrapped in a transaction, would be blazing fast.

Anyway, there are inline prepared statements can be used in a procedure