User Parameters

Generally, only the question mark (?) is treated as a parameter in SQL statements. On this page, you can specify which other characters and their sequences should be treated as parameters, and in which places.

The patterns for SQL parameters are specified by means of regular expressions.

Item	Description
Enable in console and SQL files	If the checkbox is selected, the parameter patterns are applied to SQL (in SQL files and database consoles). The usage scope, if necessary, may be limited at the level of individual patterns. If this checkbox is not selected, the patterns are not used in SOL files and consoles irrespective of which usage scope is specified for individual patterns.
Enable in string literals with SQL injection	If the checkbox is selected, the parameter patterns are applied to string literals injected with SQL. The usage scope, if necessary, may be limited at the level of individual patterns. If this checkbox is not selected, the patterns are not used in string literals irrespective of which usage scope is specified for individual patterns.
Parameter patterns	The table shows the parameter patterns and their usage scopes. The patterns are specified using regular expressions. Values in parentheses are treated as parameter names. The patterns available initially have the following meanings: `\?(\d+)` - a question mark followed by one or more digits, e.g. `?69` in which case `69` would be the parameter name. `:(\w+)` - a colon followed by one or more word characters, e.g. `:x`, `:value`, `:parameter_1`. `%w+` - `%` followed by one or more word characters, e.g. `%xyz`. To have PhpStorm recognize sprintf format references in injected SQL strings: Click the `%w+` pattern. PhpStorm expands a hidden area with the configuration settings for the pattern. Select the In scripts and In literals checkboxes. Click the <Language> link and select PHP in the list. `\$\{([^$\{\}]*)\}` - `$`, then `{`, then any character except `$`, `{` or `}` zero or more times, then `}`, e.g. `${}`, `${value}`. `\$\(([^\)]+)\)` - `$`, then `(`, then any character except `)` one or more times, then `)`, e.g. $(x). `\$(\w+)\$` - `$`, then one or more word characters, then `$` again, e.g. $x1$ . `\#(\w+)\#` - `#`, then one or more word characters, then `#` again, e.g. `#field_3#`. Use (`Alt+Insert`), (`Alt+Delete`), (`Alt+Up`) and (`Alt+Down`) to add, delete and reorder the patterns. To edit a pattern or its usage scope, click the pattern and use the following controls: In scripts. Clear this checkbox if the pattern shouldn't be used in SQL files and database consoles. In literals. Clear this checkbox if the pattern shouldn't be used in string literals injected with SQL. All (the link text may be different). Click the link and deselect the languages in which the pattern shouldn't be used.

Item

Description

Enable in console and SQL files

If the checkbox is selected, the parameter patterns are applied to SQL (in SQL files and database consoles). The usage scope, if necessary, may be limited at the level of individual patterns.

If this checkbox is not selected, the patterns are not used in SOL files and consoles irrespective of which usage scope is specified for individual patterns.

Enable in string literals with SQL injection

If the checkbox is selected, the parameter patterns are applied to string literals injected with SQL. The usage scope, if necessary, may be limited at the level of individual patterns.

If this checkbox is not selected, the patterns are not used in string literals irrespective of which usage scope is specified for individual patterns.

Parameter patterns

The table shows the parameter patterns and their usage scopes.

The patterns are specified using regular expressions. Values in parentheses are treated as parameter names. The patterns available initially have the following meanings:

\?(\d+) - a question mark followed by one or more digits, e.g. ?69 in which case 69 would be the parameter name.
:(\w+) - a colon followed by one or more word characters, e.g. :x, :value, :parameter_1.
%w+ - % followed by one or more word characters, e.g. %xyz.
To have PhpStorm recognize sprintf format references in injected SQL strings:
1. Click the %w+ pattern. PhpStorm expands a hidden area with the configuration settings for the pattern.
2. Select the In scripts and In literals checkboxes.
3. Click the <Language> link and select PHP in the list.
\$\{([^$\{\}]*)\} - $, then {, then any character except $, { or } zero or more times, then }, e.g. ${}, ${value}.
\$$([^$]+)\) - $, then (, then any character except ) one or more times, then ), e.g. $(x).
\$(\w+)\$ - $, then one or more word characters, then $ again, e.g. $x1$ .
\#(\w+)\# - #, then one or more word characters, then # again, e.g. #field_3#.

Use (Alt+Insert), (Alt+Delete), (Alt+Up) and (Alt+Down) to add, delete and reorder the patterns.

To edit a pattern or its usage scope, click the pattern and use the following controls:

In scripts. Clear this checkbox if the pattern shouldn't be used in SQL files and database consoles.
In literals. Clear this checkbox if the pattern shouldn't be used in string literals injected with SQL.
All (the link text may be different). Click the link and deselect the languages in which the pattern shouldn't be used.

Last modified: 21 November 2018