Very Simple (Pretend) SQL Paramaters
<?php
/*
Some hacked up code for Very Simple (Pretend) SQL Paramaters
-- For when you don't have PDO, or just can't be bothered
Examples:
>>> SQL("SELECT * FROM users WHERE id=? AND name LIKE ?", 123, '"123\"');
SELECT * FROM users WHERE id=123 AND name LIKE "\"123\\\""
>>> SQL("INSERT INTO user (nameFirst, nameLast) VALUES (?, ?)", "Fred", "Nurk");
INSERT INTO user (nameFirst, nameLast) VALUES ("Fred", "Nurk")
*/
function SQL($sql)
{
$params = func_get_args();
$params = array_map('mysql_real_escape_string', $params);
$sql = explode('?', $sql);
if(count($params) != (count($sql)-1))
{
throw new Exception(sprintf("Incorrect number of paramaters. Expected %d got %d", count($sql)-1, count($params)));
}
$newSql = '';
for($i = 0; $i < count($params); $i++)
{
$newSql .= $sql[$i] . (is_numeric($params[$i]) ? $params[$i] : '"' . $params[$i] . '"');
}
return $newSql . $sql[$i];
}
?>
Update: This is not only the wrong way to escaping, but introduces more bugs. Don’t ever use.