Let me qualify this and say that I am very new to PHP and I may be unaware of something considered standard.
I am calling functions from inside my php (webpage) file that the user accesses with 2 or more variables like:
I sanitize both of my input variables using the PHP function "mysql_real_escape_string()".
Now my question is this, this seems very very simple am I actually protecting myself from SQL injection?
Is there anything else I need to look out for?
Also for reference my function is called like this inside my page.
[source lang="php"]<?php echo $mysite->TestFunctionRpt($_GET ['orderby'],$_GET ['sort'],$_GET['cust'],$_GET['startdate'],$_GET['enddate']);?>[/source]
Thank you for reading, hopefully you are having a great day!
Edited by yewbie, 25 October 2012 - 09:08 AM.