How to protect DB::statement() from SQL injection in Laravel 5.5?

I want to let users create a database. The query looks like this: DB::statement( ‘CREATE DATABASE mydbname’ ). I need to use DB::statement instead of DB::select / DB::select / DB::update as the latter commands do not support the create statement. I want to protect myself from SQL injection and …

Related:

problem calling SQL server stored procedure with datetime parameters

I have a stored procedure
dbo.MySp(@From datetime, @To datetime)

In Analytics, I created a report, added a prompt page, created two “Date and time prompts ” and named them Param_From and Param_To.

In SQL object, I set SQL syntax to “Pass-Through” and use this code

exec dbo.MySp #sq(prompt(‘Param_From’,’date’))#, #sq(prompt(‘Param_To’,’date’))#

it WORKS, but ignored the time portion of the Date and time prompts.

if I changed the code to

exec dbo.MySp #sq(prompt(‘Param_From’,’**datetime**’))#, #sq(prompt(‘Param_To’,’**datetime**’))#

then I get error
UDA-SQL-0564 [Microsoft OLE DB Provider for SQL Server]Error converting data type varchar to datetime. (SQLSTATE=22018, SQLERRORCODE=8114)

I can’t even pass validation.
Any ideas?

Related: