Use a db class of just check get and post variables?

I'm writing a web application and i'm thinking about sql injections. I have created a database class that trough an array can makes everything, forgetting about escaping strings. That class works likes that:

$db->q(array(
'SELECT' => 'username',
'FROM' => USERS_TABLE, 
'WHERE' => array('user_id' => 1)
));

In that function (db::q()) i check everything that got to be checked before creatin开发者_开发百科g the sql string and executing it. By the way i think that it is not really needed. So i was thinking about just using a function request_var($name, 'POST'/'GET') that could get every $_POST and $_GET variables sent and escaping them so that i could just use:

$db->query("SELECT username FROM ".USERS_TABLE." WHERE user_id = 1");

. Is it enough? Should i use db::q() ? Should i use request_var() ? Should i use both?

You need to ensure you escape strings using the appropriate function for your database. For example, by using pg_escape_string to escape string values prior to inserting them into the database.

From your code snippet, it looks like you are accepting tables names as part of a GET / POST? Why does your front-end need to know about your database tables? Such knowledge should generally only be required of server-side code.

It's been my experience you don't just do a blanket check on all POST/GET variables. I typically check at the time of creating the query for a couple reasons:

1. No excess overhead assuming it doesn't make it to a query that time
2. I know what the data needs to look at when I know what column it's going in (validate ints, strings, floats, etc.)