Which one is "good syntax":
$_GET['user'] = mysql_real_escape_string($user);
$_GET['hash'] = mysql_real_escape_string($hash);
or
$user = mysql_real_escape_string($_GET['user']);
$hash = mysql_real_escape_string($_GET['hash']);
Sorry for stupid question :/
If the first example you're doing mysql_real_escape_string() on an undefined variable. In the second example you forgot the triling ) for the mysql_real_escape_string() function.
Correct:
<?php
$user = mysql_real_escape_string($_GET['user']);
$hash = mysql_real_escape_string($_GET['hash']);
If you really, really want to override your $_GET superglobal, then the first could be correct. But I'd guess you don't and you want the second one, although you might want to fix the missing bracket.