Escaping / binding variables

Anon

I'm considering using php on a site (in lack of mod_perl) but:

How do I escape user input going into queries?

Take this query:

mysql_query('select * from people where id=$id');

$id comes from the URL (e.g. http://www.xxx.com/page.php?id=12).

If someone sets user sets id to "0; delete * from people" it would effectively delete everything in the table (or not?)...

(in Perl i'd use prepare('select * from people where id=?')).

thanks,
-kurt.

[deleted]

"If someone sets user sets id to "0; delete * from people" it would effectively delete everything in the table (or not?)... "

no it wouldn't, because PHP's MySQL functions cannot execute more than one query at a time. The query would fail with a syntax error at the ';' because that is illegal inside a query.