# Be sure to use escaping *correctly*! If you use mysql_real_escape_string() on a value from $_GET, then because you think its a number, you don't put quotes around the variable in your SQL - You're vulnerable to injection! Since an attacker doesn't need to "break out" of your quotes (because he's not inside any), he can inject raw SQL commands and mysql_real_escape_string() can do nothing to stop him. Now, Database engines don't particularly like it when you quote integers, as it causes them to run a bunch of internal code for each row to convert them, which is why people commonly try to leave the quotes off. You have three choices to solve this problem. | # Be sure to use escaping *correctly*! If you use mysql_real_escape_string() on a value from $_GET, then because you think its a number, you don't put quotes around the variable in your SQL - You're vulnerable to injection! Since an attacker doesn't need to "break out" of your quotes (because he's not inside any), he can inject raw SQL commands and mysql_real_escape_string() can do nothing to stop him. Now, Database engines don't particularly like it when you quote integers, as it causes them to run a bunch of internal code for each row to convert them, which is why people commonly try to leave the quotes off. You have three choices to solve this problem. |