From 1366e5fba1bdd8d0c800c429d8a370329485252f Mon Sep 17 00:00:00 2001
From: Chris Morgan <cmorgan@alum.wpi.edu>
Date: Tue, 4 Jul 2006 06:19:06 +0000
Subject: [PATCH] query_parameters() usage example and the rule that all
 variables should be passed as parameters

---
 include/db.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/include/db.php b/include/db.php
index d6d6e77..d0067fe 100644
--- a/include/db.php
+++ b/include/db.php
@@ -36,6 +36,14 @@ function query_appdb($sQuery,$sComment="")
  * Values are mysql_real_escape_string()'d to prevent against injection attacks
  * See http://php.net/mysql_real_escape_string for more information about why this is the case
  *
+ * Usage:
+ *  $hResult = query_parameters("Select * from mytable where userid = '?'",
+ *                            $iUserId);
+ *
+ * Note:
+ *   Ensure that all variables are passed as parameters to query_parameters()
+ *   to ensure that sql injection attacks are prevented against
+ *
  */
 function query_parameters()
 {