<?php
// Setup PHPLive
$_GET['value'] = "' or 1='1";
function escape_string($str){
return /*mysql_real_escape_string(*/$str/*)*/;
}
/*----------------
Example A
----------------*/
$escape_string = function($str){
return escape_string($str);
};
$sql_query = "
SELECT *
FROM `tbl_name`
WHERE `col_name`='{$escape_string($_GET['value'])}'
LIMIT 1;";
/*----------------
Example B
----------------*/
$sql_query = "
SELECT *
FROM `tbl_name`
WHERE `col_name`='" . escape_string($_GET['value']) ."'
LIMIT 1;";
1