Shoutbox

It would go on the lines right before mysql_query("INSERT INTO...");

Yes, you're just a regular guy, but it is those regular guys whose websites get hacked because they don't know things like this.

Essentially any information you save to a database from user input needs to be sanitized to prevent special characters performing unwanted things (SQL injection etc)

So essentially any incoming data you run mysql_real_escape_string on before you insert or run a query using it. If you're inserting an integer from user input, typecast it to an integer first.

For example:
String: My test' string

Result unescaped: INSERT INTO test ('abc') VALUES ('My test' string');
After mysql real escape string: INSERT INTO test ('abc') VALUES('My test\' string');

Notice how in the unescaped version there is an extra quote in there? We don't want that, it is bad and cause malicious things.

Second example of typecasting:

Incoming Integer (number): abc

Notice how it isn't a number?

Query: "SELECT * FROM test WHERE test=".$_POST['integer'].";";
Resulting Query: SELECT * FROM test WHERE test=abc.

Now we have a problem. Because we want to be querying using an integer and a malicious user has entered a text string and we aren't quoting and escaping the value (you don't have to for integers) then whatever they enter can be executed as an additional query.

Solution?

Query: "SELECT * FROM test WHERE test=".(int)$_POST['integer'].";";
Resulting Query: SELECT * FROM test WHERE test=0

Because we've casted the data to an integer and abc is not an integer (and doesn't contain any), 0 is returned, thus in this example we're protected.

This is only a subset of what you need to look out for but it covers the basics.

Chris