I've been using mysql_real_escape_string() to prevent injections, but I learned today that it didn't work in all case. This is the query I'm using in PHP:

$p_query = sprintf("SELECT * FROM tbl WHERE colA = '%s' AND colB = '%s' AND colC >= %s AND colC <= %s ORDER BY updated DESC",
mysql_real_escape_string($_GET['a']),
mysql_real_escape_string($_GET['b']),
mysql_real_escape_string($_GET['c']),
mysql_real_escape_string($_GET['d']));

$sth = mysql_query($p_query) or die(mysql_error());

But someone was still able to successfully run a query like this:

?a=whatever
&b=whatever
&c=999999.9+union+all+select+%28select+concat%280x27%2C0x7e%2Cusers.%2C0x27%2C0x7e %29+from+%db_name%60.users+Order+by+username+limit+2005%2C1%29+ %2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
&d=1

Luckily, the data is all encrypted on my end, so all they saw was gibberish. But I thought that mysql_real_escape_string() was supposed to prevent that?

I've modified this script to ensure that a and b are approved strings and that c and d are integers, but I have other scripts that accept raw user-inputted data. What else should I be doing to prevent SQL injections like this?

[edited by: incrediBILL at 1:22 am (utc) on Jun 9, 2014]
[edit reason] fixed scrolling problem [/edit]