If you don’t know yet mysql_real_escape_string() is the php function to sanitize a given string for mysql quires so as to prevent sql inejections.
But its irritating to use it every time you want to sanitize.
So, lets simplify the burden.
function __($var){ return mysql_real_escape_string($var); }
By using this function, You just need to put $variable inside __()
$sql="SELECT * FROM `new` WHERE title='".__($_POST['title'])."'";
Thanks for visiting