I was trying to think up a nice, simple solution to SQL injection while
pondering my top ten vulnerability list. Here's something I came up with.
Tell me what you think.
function sql() {
$args = func_get_args() ;
$format = array_shift($ar gs);
for($i = 0, $l = count($args); $i < $l; $i++) {
$args[$i] = mysql_escape_st ring($args[$i]);
}
return vsprintf($forma t, $args);
}
$sql = sql("SELECT * FROM tblChicken WHERE pkChicken = %d", $id)
sql() takes variables passed to it, escape them for quotes, and insert them
into a SQL template. Variables that are supposed to be numeric will get cast
into int automatically by vsprintf().
pondering my top ten vulnerability list. Here's something I came up with.
Tell me what you think.
function sql() {
$args = func_get_args() ;
$format = array_shift($ar gs);
for($i = 0, $l = count($args); $i < $l; $i++) {
$args[$i] = mysql_escape_st ring($args[$i]);
}
return vsprintf($forma t, $args);
}
$sql = sql("SELECT * FROM tblChicken WHERE pkChicken = %d", $id)
sql() takes variables passed to it, escape them for quotes, and insert them
into a SQL template. Variables that are supposed to be numeric will get cast
into int automatically by vsprintf().