September 12, 2005 | PHP Scripting
The change is minor but has significant meaning to the script. I added two functions – escapeData() and buildQuery().
The significance of adding these is mainly in the escapeData() function. Instead of encouraging the user the use addslashes before using submitted data or, worse yet, encouraging the user to rely on magic_quotes, the escapeData function uses the mysql_real_escape_string function to escape the data per the mySQL server’s instruction. In this case the escaping is more in tune to what the SQL server needs and is also consistent with the character encoding that the database uses. Character encoding is picky when storing binary data in the database, so this helps maintain a proper matchup of data encodings.
And example of usage would be:
$query = sprintf("SELECT * FROM table WHERE email=%1 AND name=%2",
The other is buildQuery. buildQuery ties in directly to escapeData in that it uses the escapeData function to put together an escaped query string like so:
$base_query = "SELECT * FROM table WHERE email=%1 AND name=%2";
$query = $db->buildQuery($base_query,$var1,$var2,etc...);
The function is nothing extraordinary (it actually emulates using sprintf with a foreach loop) but it can save you some typing on long queries that use a lot of outside data.
So, nothing huge, just trying to be correct. Download the updated dbConnect script here or peruse the source code here.