Overloading a Native PHP Function to Encrypt Data for HIPAA Compliance

Although you've previously stated you can't/won't translate your code into a database abstraction layer, I believe that would be the ideal solution. Sure, it's a lot more work right now, but it pays off. What you've proposed is a hack, that can (and probably will) lead to errors and headaches in the future.

The next best thing would be to encrypt the whole database, as proposed in the comments. There are solutions out there for transparent encryption in different levels, ie: this or this

Another thing you might want to look into is MySQL's native encryption and decryption functions, which could be used to implement column-level encryption if you're concerned about performance.

While the best solution would be the abstraction layer that the other answers have suggested, you can override existing PHP functions with your own versions with the PECL Runkit extension

Something like:

runkit_function_rename ( 'mysql_query', 'mysql_query_old' );function mysql_query ( $query , $link_identifier=null ) {   // modify $query here for UPDATE/DELETE statement and any WHERE clause, etc   $newQuery = modifyQuery($query);   if (is_null($link_identifier)) {      $result = mysql_query_old ( $newQuery);   } else {      $result = mysql_query_old ( $newQuery, $link_identifier);   }   // modify $result here for returned data from any SELECT statement   return modifyResult($result);}

Note: By default, only userspace functions may be removed, renamed, or modified. In order to override internal functions, you must enable the runkit.internal_override setting in php.ini.

It's not a solution I'd really recommend. I had to do something similar some years back in java, where it was far easier to extend jdbc; but while parsing the syntax of SQL queries is hard enough, it gets harder still if your queries are using bind variables. Watch out for escaped strings! Watch out for any use of related function like mysql_db_query, just in case they're used alongside mysql_query within the application!

Apologies for shaky typing. My wife has been bouncing our router a few times while I'be been writing this suggestion

I think one way of handling this automatically would be to look into MySQL proxy

and implement encryption through that. I played around with it 2 or so years ago when it was in a very early stages, and from what I remember it could basically intercept requests and do 'stuff' with them :) No code change required essentially.Hopefully this helps.