Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- doQuery("SELECT * FROM `table` WHERE `column` = '%s';", $var);
- /* Usage:
- * This is written to block SQL Injections Very Effectively, all 'mysql_query()' commands
- * should be replaced with this function.
- *
- * $DBQuery = doQuery("SELECT * FROM `TABLE` WHERE `username` = '%s' AND `password` = '%s';" ,$Username, $Password);
- * The way the above works it it still returns the mysql_query() you expect, except it has
- * been Sanitized.
- *
- * The query MUST be in double quotes like above, the '%s' represent the placeholder, the sanitized
- * data will be placed. The next few options are your varibles and are inserted in the order the
- * '%s' appears. E.G.
- * doQuery("SELECT * `table` WHERE `Var1` = '%s' AND `Var2` = '%s' etc...", $Var1, $Var2, $Var3, etc...)
- * The Same works with Insert Querys and other queries you need to input varibles.
- */
- function doQuery($query) {
- $numParams = func_num_args();
- $params = func_get_args();
- if($numParams > 1) {
- for($i=1;$i<$numParams;$i++) {
- $params[$i] = mysql_real_escape_string($params[$i]);
- }
- $query = call_user_func_array('sprintf', $params);
- }
- $result = @mysql_query($query);
- if(!$result) {
- throw new Exception('DB Class - doQuery: MySQL Error - '.mysql_error());
- } else {
- return $result;
- }
- }
- $FName = "' or Bob"; // Imagine this is actually a $_POST and some is trying to inject.
- // what would actually be returned is \' or Bob
- $SQLQuery = doQuery("SELECT * FROM `users` WHERE `FirstName` = '%s';", $FName);
- // This show you can just use it like a normal mysql_query()
- if($SQLQuery != false) {
- while($row = mysql_fetch_assoc($SQLQuery)) {
- echo $row['FirstName'];
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement