This is pretty open ended, but generally, what do you guys do for mysql security? Will using "mysql_real_escape_string" do the trick or are there other holes to plug? For example, do I need to worry about certain characters like "--" or ";"?
One piece of advice I received suggested only allowing strings into the database. If I have my table column labeled "VARCHAR" does this automatically make the conversion, or do I need to convert it with php before sending it to the database?
What methods do you guys use? Any comprehensive resources you can point me towards?