I’d like to take user input, denoted as $dangerous_string, and use it as part of a RegEx in a MySQL query.
What’s the best way to go about doing this? I want to use the user’s string as a literal — if it contains any characters that mean something in MySQL RegEx, those characters should not actually affect my Regular Expression.
$dangerous_string = $_GET["string"];
//do something here
$dangerous_string = what_goes_here($dangerous_string);
$sql = "SELECT * FROM table WHERE search_column REGEX '" . $mysqli->real_escape_string("[[:<:]]$dangerous_string") . "'";
//etc....
AFAIK, there is no native way of escaping for MySQL regex. You can do it in PHP with preg_quote (http://www.php.net/manual/en/function.preg-quote.php) which would probably do the job for you, but is obviously not designed for the purpose.
My preferred way if I were in your situation would be to construct a regex whitelist in PHP that you can then apply to your dangerous string:
This removes any non-word characters (i.e. anything except A-Za-z0-9_) from your string.
NB I believe the other answers given will not remove/escape regex special characters, which I believe is your requirement.