Match string not surround by quotes

I need to do a string replacement within an SQL statement but only where the the pattern does not occur within a text string. This is to compensate for PHP PDOs lack of native functions for construction a CSV of placeholder in an IN statement.

So I might have a query like:
SELECT * FROM table where colId IN(XX).

I would then search for "XX" and replace it with a generated string to produce
SELECT * FROM table WHERE colId IN(?, ?, ?)

That part is easy.

What I want to avoid is:
SELECT * from table WHERE colDesc "Hello XX World"
becoming
SELECT * FROM table WHERE colDesc "Hello ?, ?, ? World"

Well, the better you know about your data, the better you are off with regexes in general. We would need to know more on how hairy your SQL select statements can be: for example, can there be several quoted strings or only one? If yes, you could do the substitution only if the line does not match /".*XX.*"/.

Another possibility: if the "XX" that you want to replace is always part of the string "IN (XX)", you could have something like:

If you're using bound parameters you should never end up with arbitrary strings in your SQL query, so you shouldn't run into an issue as you described.

There is really no way to use a reg ex to figure out whether "xx" is a placeholder in the sql query or part of a string.

You're right, as a rule of thumb there shouldn't be an existing string in the query.

I thought if I could catch it, I would. But if I can't, well the query will fall over when executed anyway, at which point the programmer should remove the string or escape the placeholder.

Thanks for the responses.