Sample code to avoid SQL injections using mysql_real_escape_string (http://uk.php.net/mysql_real_escape_string) which converts special characters to escape sequences to ensure they are suitable for submission to SQL
$mySQL = “UPDATE address SET postcode=’.mysql_real_escape_string($postcode).’ WHERE id=’.mysql_real_escape_string ($account).’”;
$myResult = mysql_query($mySQL);
addthis_url = ‘http%3A%2F%2Fwww.sl8r.co.uk%2F2008%2F04%2F30%2Fphp-avoiding-mysql-injections%2F’;
addthis_title = ‘PHP%3A+Avoiding+mySQL+Injections’;
addthis_pub = ”;