Comment Re:SQL too (Score 2) 435
[mysql_real_escape_string] is made for escaping strings in case it contains a character that would break SQL. It's up to you to filter your inputs.
And this is why you fail, and why PHP coders have the reputation of clueless monkeys.
You don't filter your inputs when you are about to feed them to an SQL query. You use place holders and let the database cast your input into the right data type. You trust the database library to know that something is a data type and feed it to the query as a parameter, not as query text. If you trust filtering, all you need is one mistake and it's Bobby Tables time.
Mart