atleast this part: $user_id = mysql_real_escape_string((int) $_GET['user_id']);
I'm not sure who put this in there, but you don't need to use mysql_real_escape_string() on that value if you're type casting it. If you are forcing it to be an integer, there is nothing to escape. Integers are perfectly fine to be put into a query as they are. - Craige -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
