I'm writing a web application and i'm thinking about sql injections. I have created a database class that trough an array can makes everything, forgetting about escaping strings. That class works likes that:

$db->q(array(
'SELECT' => 'username',
'FROM' => USERS_TABLE, 
'WHERE' => array('user_id' => 1)
));

In that function (db::q()) i check everything that got to be checked before creating the sql string and executing it. By the way i think that it is not really needed. So i was thinking about just using a function request_var($name, 'POST'/'GET') that could get every $_POST and $_GET variables sent and escaping them so that i could just use:

$db->query("SELECT username FROM ".USERS_TABLE." WHERE user_id = 1");

. Bu yeterli mi? I kullanmalısınız db::q()? I kullanmalısınız request_var()? I hem de kullanmalı mıyım?