So, a few days ago I asked about how to prevent mysql injection. Someone suggested me to use only a mysql_real_escape_string but that's not enough because someone can use shit like ORDER BY and others that I will not tell you here. I found that replacing bad characters with nothing in my scripts will make it impossible for someone to perform an injection.
$post = mysql_real_escape_string($_GET['post']);
$post = preg_replace('/[a-zA-Z _()-.,@]/', '', $post);
$posts = mysql_query("SELECT * FROM posts WHERE id=$post");
what that does is in line 1: replace characters like ' with \' line 2: replace bad characters and letters (i only use numbers) with space. if you use letters too just erase the "a-zA-Z" line 3: make a safe query.