function mysql_where($criteriaArray = null, $extraWhere = 'TRUE')
{
$where = '';
if ($criteriaArray) {
foreach ($criteriaArray as $fieldName => $value) {
if (!preg_match('/^(\\w+)$/', $fieldName)) {
die(__FUNCTION__ . ": Invalid column name '" . htmlencode($fieldName) . "'!");
}
// error checking: whitelist column chars to prevent sql injection
// if $value is an array, use the IN operator
if (is_array($value)) {
$where .= "`{$fieldName}` IN (" . mysql_escapeCSV($value) . ") AND ";
} else {
$where .= mysql_escapef("`{$fieldName}` = ? AND ", $value);
}
}
}
$where .= $extraWhere;
return $where;
}
function mysql_getValuesAsCSV($valuesArray, $defaultValue = '0')
{
return mysql_escapeCSV($valuesArray, $defaultValue);
}
