snippets / SQL Injection prevention

Language: Php - First posted by lacop on 2007-10-28 18:02 (11 months, 2 weeks)
Link to the snippet: http://www.friendsnippets.org/snippet/105/

Function that will escape and prepare sql query

snippet: view plain - save this
 1 <?php
 2 
 3 mysql_connect('localhost', 'guest', 'heslo');
 4 
 5 function my_escape ($format) {
 6 
 7 if (func_num_args() == 1) return $format;
 8 
 9 $data = func_get_args();
10 
11 array_shift($data);
12 
13 foreach ($data as $k=>$v) {
14 
15 $data[$k] = mysql_real_escape_string($v);
16 
17 }
18 
19 return vsprintf ($format, $data);
20 
21 }
22 
23 echo my_escape ('float: %.3f, int: %d', '10.5fgfg', '00100ffd');
24 echo my_escape ('SELECT * FROM ... WHERE foo.id = %d AND foo.pass = \'%s\'', '42foo', 'bla\'bla');
25 echo my_escape ('SELECT * FROM ... WHERE name = \'%s\' AND pass \'%s\'', '123foo', '\' OR 1=1;--');
26 ?>
In order to post a comment, you should have a friendsnippet account. Please sign-in.

0 comments

Oct '07

  • Function that will escape and prepare sql query

    lacop

Nov '07

Common Tags


Related snippets


snippet History

Oct '07
Nov '07