if (!is_null($values)) {
foreach($fields as $field) {
if ($c++) $sql .= ',';
- $sql .= " `$field`='".mysql_escape_string(array_shift($values))."'";
+ $sql .= " `$field`='".mysql_real_escape_string(array_shift($values))."'";
}
} else {
foreach($fields as $field=>$value) {
if (in_array($value,$ex)) {
$sql .= " `$field`= $value";
} else {
- $sql .= " `$field`='".mysql_escape_string($value)."'";
+ $sql .= " `$field`='".mysql_real_escape_string($value)."'";
}
}
}
$sql .= ') VALUES (';
$c = 0;
foreach($array as $field=>$value) {
- $v = mysql_escape_string($value);
+ $v = mysql_real_escape_string($value);
if ($c++) $sql .= ',';
if (in_array($v, $ex))
$sql .= " $v ";
$sql .= " '$v' ";
}
$sql .= ')';
- return (is_null($table)?$sql:('INSERT INTO `'.$table.'` '.$table));
+ return (is_null($table)?$sql:('INSERT INTO `'.$table.'` '.$sql));
}
function build_str($query_array) {