function mysql_where($criteriaArray = null, $extraWhere = 'TRUE') { $where = ''; if ($criteriaArray) { foreach ($criteriaArray as $fieldName => $value) { if (!preg_match('/^(\\w+)$/', $fieldName)) { die(__FUNCTION__ . ": Invalid column name '" . htmlencode($fieldName) . "'!"); } // error checking: whitelist column chars to prevent sql injection // if $value is an array, use the IN operator if (is_array($value)) { $where .= "`{$fieldName}` IN (" . mysql_escapeCSV($value) . ") AND "; } else { $where .= mysql_escapef("`{$fieldName}` = ? AND ", $value); } } } $where .= $extraWhere; return $where; }
function mysql_getValuesAsCSV($valuesArray, $defaultValue = '0') { return mysql_escapeCSV($valuesArray, $defaultValue); }