parseQuery function..
Posted: Sun Jul 16, 2006 10:42 am
I knocked up a Query parsing method, and would like people to pick at it to see if I have missed any potential loopholes 
Usage:
Or you can still run a straight query in a single string arg, but are left to your own devices for escaping etc.
TIA
EDIT: Whoops.. should be in Security, sorry.
Code: Select all
public function parseQuery ()
{
$count = func_num_args();
$str = func_get_arg(0);
if ($count > 1) {
for ($i = 1; $i < $count; $i++) {
if ((strval(intval(func_get_arg($i))) === strval(func_get_arg($i)))
|| (strval(floatval(func_get_arg($i))) === strval(func_get_arg($i)))) {
$pat = mysql_real_escape_string(func_get_arg($i), $this->link);
} else {
$pat = "'" . mysql_real_escape_string(func_get_arg($i), $this->link) . "'";
}
$str = str_replace(':' . $i, $pat, $str);
}
}
$this->query = $str;
}Code: Select all
$db->parseQuery('SELECT * FROM `table` WHERE `col` = :1 AND `col2` = :2', $val1, $val2);TIA
EDIT: Whoops.. should be in Security, sorry.