I was trying to think up a nice, simple solution to SQL injection while
pondering my top ten vulnerability list. Here's something I came up with.
Tell me what you think.
function sql() {
$args = func_get_args();
$format = array_shift($args);
for($i = 0, $l = count($args); $i < $l; $i++) {
$args[$i] = mysql_escape_string($args[$i]);
}
return vsprintf($format, $args);
}
$sql = sql("SELECT * FROM tblChicken WHERE pkChicken = %d", $id)
sql() takes variables passed to it, escape them for quotes, and insert them
into a SQL template. Variables that are supposed to be numeric will get cast
into int automatically by vsprintf().