TalkPHP - View Single Post

Wildhoney · 11-30-2007, 12:21 PM

This is the function I use when constructing MySQL statements. It allows you to pass in any argument into the function and it will return it back to you all nice and safe.

As the function automatically quotes strings for you, there's no need to quote them in your statement. So for a string I wouldn't need to add the quotes around %s. It would be like so:

php Code:

sprintf("SELECT * FROM myTable WHERE myColumn = %s", mysql_parse_values($szItem));

The same goes for integers. The function, however, won't add quotes to an integer. The function even checks for the presence of the ever-annoying GPC, and acts accordingly based on its state.

php Code:

function mysql_parse_value($mValue, $bStripTags = true, $bAllowableTags = null)
{
    if (is_array($mValue))
    {
        return; 
    }
    
    if (get_magic_quotes_gpc())
    {
        $mValue = stripslashes($mValue);
    }
         
    if ($bStripTags)
    {
        $mValue = strip_tags($mValue, $bAllowableTags);
    }
        
    if (!is_numeric($mValue))
    {
     $mValue = "'" . mysql_real_escape_string($mValue) . "'";
    }

    return $mValue;
}

11-30-2007, 12:21 PM	#1 (permalink)
Wildhoney La Vida es Sueño Join Date: Sep 2007 Location: Oldham Posts: 2,280 Thanks: 90	Safe MySQL Parse Function This is the function I use when constructing MySQL statements. It allows you to pass in any argument into the function and it will return it back to you all nice and safe. As the function automatically quotes strings for you, there's no need to quote them in your statement. So for a string I wouldn't need to add the quotes around %s. It would be like so: php Code: sprintf("SELECT * FROM myTable WHERE myColumn = %s", mysql_parse_values($szItem)); The same goes for integers. The function, however, won't add quotes to an integer. The function even checks for the presence of the ever-annoying GPC, and acts accordingly based on its state. php Code: function mysql_parse_value($mValue, $bStripTags = true, $bAllowableTags = null) { if (is_array($mValue)) { return; } if (get_magic_quotes_gpc()) { $mValue = stripslashes($mValue); } if ($bStripTags) { $mValue = strip_tags($mValue, $bAllowableTags); } if (!is_numeric($mValue)) { $mValue = "'" . mysql_real_escape_string($mValue) . "'"; } return $mValue; } __________________ The man who comes back through the Door in the Wall will never be quite the same as the man who went out.