Code: Select all
$sql = "SELECT * FROM table WHERE field1='".mysql_real_escape_string($field1_value)."' AND field2 ='".mysql_real_escape_string($field2_value)."'";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)){
//fetching goes here..
}I would like to know the good approach for auto escaping,so that i don't have to write those escaping manually.
I have seen some styles like:
1>
Code: Select all
$sql = "SELECT * FROM table WHERE field1='%s' AND field2 ='%s'";
$result = custom_query($sql, array($field1_value, $field2_value));Code: Select all
$sql = "SELECT * FROM table WHERE field1=? AND field2 =?"; //without using quotes which will be auto detected & quoted accordingly
$result = custom_query($sql, array($field1_value, $field2_value));what will the custom_query() function look like ?
anybody has used similar function?
Thanks in advance for the valueable suggestion.