When programming a system that creates sql strings based on passed in integers i.e. where some_int=$variable_from_querystring you must always do a check to confirm that that variable contains only numeric data. an alternate fix on sql servers that allow the format where some_int='1234' -- (quoted numbers) would be to do where some_int='replace($variable_from_querystring,"'","''")' This would cause a more than likely harmless error to occur whenever character occurs within the passed in numeric/integer variable.
