We have all been there writing PHP code and trusting mysql_real_escape_string(). Alas it seems it is not enough, let us look at the example below ; $id = “0; DELETE FROM users”; $id = mysql_real_escape_string($id); // 0; DELETE FROM users mysql_