We have all been there writing PHP code and trusting mysql_real_escape_string(). Alas it seems it is not enough, let us look at the example below ; $id = “0; DELETE FROM users”