I want to prevent the 1=1 using the mysql_real_escape_string but not sure if im doing it right because I can still perform 1=1. This is my code:
$memberId = mysql_real_escape_string($_GET["memberId"]);
$sql = "SELECT firstName, lastName, dateSent, message, messageId FROM member, message WHERE member.memberId = message.sentFromId AND message.inboxId=" . $memberId . " ORDER BY dateSent DESC;";
Thanks
mysql_real_escape_STRING() is for STRINGS, not integers. There's nothing in 1=1 that requires escaping, so m_r_e_s() will pass it back unchanged.
if you're dealing with integers, then use integer tools:
$memberID = intval($_GET['memberId']);
The only correct way to not have SQL injections is using prepared statements. If you attempt to mitigate using escaping you will fail. If you as a rule never concatenate your queries and always use prepared statements, you have a chance.
It also has the advantage of making your code more readable. And has no disadvantages.