PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
if (isset($_GET['id'])) {
$colname_GetLetter = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']);
}
mysql_select_db($****, $*****);
$query_GetLetter = sprintf("SELECT * FROM letters WHERE id = %s ", $colname_GetLetter);
If somebody tries to inject an SQL query will (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']); catch it or is it missing it being tested for an integer value too?
If you're passing an integer (which I see you are because you're not surrounding it with quotes), I don't think even mysql_real_escape_string needs to be used. Just be sure to clean it with intval().