I've never understood why this is always such a problem. You essentially have two options:
1) You're expecting a string, in which case you must escape the input:
PHP Code:
$db = mysqli_connect();
$val = mysqli_escape_string($db, $_GET['val']);
$sql = "select * from my_table where some_column = '$val'";
2) You're expecting a numeric value, in which case you must cast the input to the appropriate type:
PHP Code:
$val = (int)$_GET['val'];
$sql = "select * from my_table where some_column = $val";
It's pretty trivial to write a function to make this a little easier (and if you're using prepared statements, a
function already exists), but you must always, explicitly sanitize user input in your code. No "anti-injection" script will magically handle this for you.