build_query

A simple helper function for preparing SQL queries with data from outside – say no to SQL injections.

<?
function build_query($query, $_query_args_) {
  $query_args = array_slice(func_get_args(), 1); 
  $escaped_query_args = array_map("mysql_real_escape_string", $query_args);
  $sprinf_args = array_merge(array($query), $escaped_query_args);
  $result = call_user_func_array("sprintf", $sprintf_args);

  return $result;
}
?>

Example

<?
build_query("SELECT * FROM users WHERE username = '%s' AND password = '%s'", "qerub", "god' or ''='")
# => "SELECT * FROM users WHERE username = 'qerub' AND password = 'god\' or \'t\'=\'t'" 
?>

A Note About Magic Quotes

If you have magic quotes enabled: disable them before somebody starts hitting you with the cluestick.

This page was created on 2008-09-30 and is filed under PHP.

Please contact the author if you have any comments, perhaps by email?

Go to the home page for more content.