Protect from SQL Injection

I am attempting to add mysql_real_escape_string to all code that comes in and goes to the database… like so…

[php]
$url = mysql_real_escape_string($_POST[‘url’]);

$result = mysql_query(“SELECT * FROM history
WHERE url=’$url’”);

while($row = mysql_fetch_array($result))
{
$dupurl = $row[‘url’];
$dupurldate = $row[‘lastposted’];
}

if ($dupurl == $url)
{
die("URL was last posted on " . “$dupurldate” . “. Please wait at least 30 days before posting the same URL.”);
}

[/php]

Only problem is it makes my script not work… when it checks the database, even though it should realize its not there, it returns that it is…

How can I protect this field from injection?

I also have another field with similar problem… it uses symbols in it that cannot be messed with or it breaks the script too!

it could when it’s escaped anything like ’ would end up being ’ if thats the case you can use a function called stripslashes when fetching data from the database:

[code]$url = mysql_real_escape_string($_POST[‘url’]);

$result = mysql_query(“SELECT * FROM history WHERE url=’$url’”);
while($row = mysql_fetch_array($result))
{
$dupurl = stripslashes($row[‘url’]);
$dupurldate = stripslashes($row[‘lastposted’]);
}

if ($dupurl == $url){
die("URL was last posted on " . “$dupurldate” . “. Please wait at least 30 days before posting the same URL.”);
}[/code]

For anyone else interested in the answer… I moved down the line… basically right before it goes into the database i put the real escape string code and it works fine… but in theory couldnt someone break the php with some code before that?

Not sure how this works… just someone mentioned it to me…