Well I created this function a while back but it's still invaluable to people who generate queries. If you're familiar with sprintf and use it to put your variables into your mysql queries then you can use instead of using mysql_real_escape_string on every param. For example, suppose you have
PHP Code:
$query = sprintf("INSERT INTO
`users`
(`firstname`, `lastname`, `address1`, `zipcode`)
VALUES
('%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($firstname),
mysql_real_escape_string($flastname),
mysql_real_escape_string($address1),
mysql_real_escape_string($zipcode)
);
You could convert it to just
PHP Code:
$query = mressf("INSERT INTO
`users`
(`firstname`, `lastname`, `address1`, `zipcode`)
VALUES
('%s', '%s', '%s', '%s', '%s')",
$firstname,
$flastname,
$address1,
$zipcode
);
and it would escape all the values for you
Here is the function
PHP Code:
function mressf()
{
$args = func_get_args();
if (count($args) < 2)
return false;
$query = array_shift($args);
$args = array_map('mysql_real_escape_string', $args);
array_unshift($args, $query);
$query = call_user_func_array('sprintf', $args);
return $query;
}
the sprintf mysql_real_escape_string function can aslo be found
here
I hope this is of help to some of you
Before you post, read our: 
