<?php

/*

    Some hacked up code for Very Simple (Pretend) SQL Paramaters
    -- For when you don't have PDO, or just can't be bothered

    Examples:

        >>> SQL("SELECT * FROM users WHERE id=? AND name LIKE ?", 123, '"123\"');
        SELECT * FROM users WHERE id=123 AND name LIKE "\"123\\\""

        >>> SQL("INSERT INTO user (nameFirst, nameLast) VALUES (?, ?)", "Fred", "Nurk");
        INSERT INTO user (nameFirst, nameLast) VALUES ("Fred", "Nurk")

*/

function SQL($sql)
{
    $params = func_get_args();
    $params = array_map('mysql_real_escape_string', $params);
    $sql    = explode('?', $sql);

    if(count($params) != (count($sql)-1))
    {
        throw new Exception(sprintf("Incorrect number of paramaters.  Expected %d got %d", count($sql)-1, count($params)));
    }

    $newSql = '';

    for($i = 0; $i < count($params); $i++)
    {
        $newSql .= $sql[$i] . (is_numeric($params[$i]) ? $params[$i] : '"' . $params[$i] . '"');
    }

    return $newSql . $sql[$i];
}

?>

Update: This is not only the wrong way to escaping, but introduces more bugs. Don’t ever use.