function Query()
{
$args = func_get_args ();
if (sizeof ($args) > 0)
{
$query = $args[0];
for ($i = 1; $i < sizeof ($args); $i++)
$query = preg_replace ("/\?/", "'" . mysql_real_escape_string ($args[$i]) . "'", $query, 1);
}
else
{
return FALSE;
}
I have a function like this. Basically, I make a query like this:
$this->Query('SELECT * FROM USERS WHERE Username = ? AND Points < ?', $username, $points);
It currently supports deprecated mysql
functions, but adapting to mysqli
will be as easy as replacing mysql
with mysqli
in my class.
Is this a safe approach to rely on against SQL Injection attacks? Every single question mark is getting sanitized automatically by mysql_real_escape_string
and I never had problems before, but should I use mysqli_real_escape_string
for sanitization?
I know about prepared statements of mysqli but using bindParam
for each variable seems a little overkill to me.
What do you think?