PHP: "... variables can be passed by reference" in str_replace()?

The very last parameter, count, is passed by reference. You can see this in the description at http://us.php.net/str_replace where there's a & in front of the variable.

This means you cannot use a literal 1 there. You'd have to do:

$sql = str_replace('?', "'" . $param . "'", $sql, $count);echo $count;

You'll now have displayed on the screen how many instances were replaced.

Look at the documentation for preg_replace and str_replace and you will see why. str_replace's fourth argument must be passed by reference, but this is not the case for preg_replace.

I rewrite from VoteyDisciple

$sqlLogin = "SELECT * FROM users inner join role on users.roleId = role.id WHERE email=?1 and password=?2";function makeSql() {    $args = func_get_args();    if(isset($args[1])) {        $len = sizeof($args);        //var_dump($args);        $sql = $args[0];        for ($index = 1; $index < $len; $index++) {            $sql = str_replace('?'.strval($index), "'" . $args[$index] . "'", $sql);        }        return $sql;    }    return $args[0];}$sql = makeSql($sqlLogin, $myusername1, $mypassword);$result = mysqli_query($con, $sql);