Thanks for your reply

However, that's not quite what I want to do. The difference and the reason are easiest to demonstrate with code...
Say I have this function:
Code: Select all
function performQuery($value,$column){
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
Now I can just put in two lines of code to proof this against sql injection:
Code: Select all
function performQuery($value,$column){
$value=mysql_real_escape_string($value);
$column=mysql_real_escape_string($column);
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
But (a) I have lots of functions in this format that need to be edited, and (b) some of them take a very large number of arguments - so this crude method would involve adding a lot of repetitive lines of code and seems very inefficient. If instead I were to use a function which applied mysql_real_escape_string() to an array, the result would look like this:
Code: Select all
function performQuery($value,$column){
$safe_strings=preQueryCleanup(array('value' => $value, 'column' => $column));
$value=$safe_strings['value'];
$column=$safe_strings['column'];
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
As you can see, this doesn't actually gain anything in terms of efficiency. Alternatively I could do this (which would probably make more sense):
Code: Select all
function performQuery($value,$column){
$safe_strings=preQueryCleanup(array('value' => $value, 'column' => $column));
$q='select * from "table" where "'.$safe_strings['column'].'" = "'.$safe_strings['value'].'"';
$result=mysql_query($q);
return $result;
}
Which does gain in efficiency... But requires me to do a lot of going through existing code (much of it not mine, thus rather slow to do) and editing, rather than just inserting new lines at the beginning of each function which contains a mysql query.
So what I'm trying to do is write a function to which I can pass some strings but will then apply mysql_real_escape_string() to
the original variables instead of returning them. Were that possible, only a single extra line of code would be needed at the beginning of each function.
Does that make sense?