function secure($value) { if ($value) { return mysql_real_escape_string($value); } else return false; } $name = (isset($_GET['name'])) ? $_GET['name'] : false; mysql_query("SELECT .... WHERE name='" . secure($name) . "'");