GET parameters vulnerable to SQL Injection - PHP

Question

I\'ve been asked to handle a security issue for a site which was set up by another programmer. As of yet, I haven\'t seen any of the code, so I\'m going off of assumptions a

Answer 1

Yes, mysql_real_escape_string() will escape any potentially hazardous characters. If you know that the arguments are numeric, it would not hurt to verify this aswell using is_numeric()

You should also look at mysql::prepare -- This will ensure that only 1 statement is executed, and prevent additional SQL vulnerabilities.