Welcome to WebmasterWorld Guest from 188.8.131.52
$reference = $_REQUEST['reference']
... use $reference in you code as usual...
$sql= "SELECT count(*) FROM track_page WHERE session_index='$session_index' AND reference='".addslashes($reference)."'";
$result = @mysql_query($sql);
Likewise, when you retrieve that data to display back to the user you may want to add htmlspecialchars($reference) around the code.
You can test your input fields by entering '
* I really would not reccomend using magic_quotes.
str_replace( "'", "''", $evilInput );
Microsoft SQL interprets two single quotes ('') as a single escaped quote.
[edited by: WesleyC at 9:55 pm (utc) on July 23, 2007]