Can you please give me advise? I searched for questions but did not found something similiar to mine.
How do i make my user inputs automatically escaped when they are intended to use in SQL queries? I don(t like in my code filled with something like
$var_x = $DB->Escape($_POST[(var_x(]);
$another_var = $DB->Escape($_POST[(another_var(]);
$some_string = $DB->Escape($_POST[(some_string(]);
*Assuming i have Database class with Escape method which performs mysql_real_escape_string*
But i can(t set auto escape on SQL query as well, because it breaks insert queries:
$result = mysql_query($this->Escape($sql));
$q = $DB->Exec("SELECT * FROM table WHERE id = (xxx(");
It makes them \(xxx\(. which is incorrect.
Last thing i want to do is make parameterized statements, as it will make system more complicated. I(ll consider this option when nothing else will left.
In short - how to make smart auto-escape which works with whole query and escapes only values?
posted date: 2009-04-08 02:17:00