macek/sql_sanitizer.php

## sql_sanitizer.php
<?php

class Mysql {

  static public function query(){
    $args = func_get_args();
    return mysql_query(call_user_func_array(array("self", "queryf"), $args));
  }

  static public function queryf(){
    $args = func_get_args();
    $query = array_shift($args);
    return vsprintf($query, array_map("mysql_real_escape_string", $args));
  }

}

# example usage: query user login

$email = "Robert O'Malley";
$password = "helloWorld11";
echo Mysql::queryf("SELECT * FROM users WHERE email='%s' AND password='%s';", $email, $password);
// => SELECT * FROM users WHERE email='Robert O\'Malley' AND password='helloWorld11';


# exapmle usage: sql injection
$email = "'; DROP TABLE users; -- ";
$password = "";
echo Mysql::queryf("SELECT * FROM users WHERE email='%s' AND password='%s';", $email, $password);
// => SELECT * FROM users WHERE email='\'; DROP TABLE users; -- ' AND password='';

?>
	<?php

	class Mysql {

	static public function query(){
	$args = func_get_args();
	return mysql_query(call_user_func_array(array("self", "queryf"), $args));
	}

	static public function queryf(){
	$args = func_get_args();
	$query = array_shift($args);
	return vsprintf($query, array_map("mysql_real_escape_string", $args));
	}

	}

	# example usage: query user login

	$email = "Robert O'Malley";
	$password = "helloWorld11";
	echo Mysql::queryf("SELECT * FROM users WHERE email='%s' AND password='%s';", $email, $password);
	// => SELECT * FROM users WHERE email='Robert O\'Malley' AND password='helloWorld11';


	# exapmle usage: sql injection
	$email = "'; DROP TABLE users; -- ";
	$password = "";
	echo Mysql::queryf("SELECT * FROM users WHERE email='%s' AND password='%s';", $email, $password);
	// => SELECT * FROM users WHERE email='\'; DROP TABLE users; -- ' AND password='';

	?>