icantthinkofausername
New Member
I'm currently developing a database class for a project I've been working on. I would like to know if the following function has any holes or errors in it that would allow for someone to use MySQL injection.\[code\]public function sql_validate($var){ if (is_null($var)) { return NULL; } else if (is_string($var)) { return "'" . $this->sql_escape($var) . "'"; } else if (is_bool($var)) { return intval($var); } else { return $var; }}\[/code\]Here's the function sql_escape which is called for strings.\[code\]private function sql_escape($string){ if (!$this->db_connection) { return @mysql_real_escape_string($string); } return @mysql_real_escape_string($string, $this->db_connection);}\[/code\]