# Always escape all data that come from a user that are headed into your database (use mysql_real_escape_string() or bind the values to prepared statements using MySQLi or PDO). This is to prevent data supplied by the user, being confused with your SQL code. http://php.net/mysql_real_escape_string http://php.net/pdo

# Always escape all data that come from a user that are headed into your database (use mysql_real_escape_string() or bind the values to prepared statements using MySQLi or PDO). This is to prevent data supplied by the user, being confused with your SQL code. http://php.net/mysql_real_escape_string http://php.net/pdo

# Be sure to use escaping *correctly*! If you use mysql_real_escape_string() on a value from $_GET, then because you think its a number, you don't put quotes around the variable in your SQL - You're vulnerable to injection! Since an attacker doesn't need to "break out" of your quotes (because he's not inside any), he can inject raw SQL commands and mysql_real_escape_string() can do nothing to stop him. Now, Database engines don't particularly like it when you quote integers, as it causes them to run a bunch of internal code for each row to convert them, which is why people commonly try to leave the quotes off. You have three choices to solve this problem.

# Be sure to use escaping *correctly*! If you use mysql_real_escape_string() on a value from $_GET, then because you think its a number, you don't put quotes around the variable in your SQL - You're vulnerable to injection! Since an attacker doesn't need to "break out" of your quotes (because he's not inside any), he can inject raw SQL commands and mysql_real_escape_string() can do nothing to stop him. Now, Database engines don't particularly like it when you quote integers, as it causes them to run a bunch of internal code for each row to convert them, which is why people commonly try to leave the quotes off. You have three choices to solve this problem.