You mean SQL Injections, XSS (Cross Site Scripting) is when you allow a malicious user to enter unclean data (usually containing javascript code) to your site, which is then inturn displayed (at some point) to an unsuspecting user allowing the attacker to send sensitive data from that user (like cookies) elsewhere. SQL injection is where you allow a malicous user to 'Inject' his owb SQL commands through an unprotected SQL query (such as the one posted above)

I think these articles may help you understand:
Securing your MySQL Queries with Sprintf
How to Login to Any Account on an Insecure Site
http://www.tizag.com/mysqlTutorial/m...-injection.php

Also I advise that you turn error reporting off in a live server environment, don't make the hackers life easy by giving him feedback on his attempts (which in essence is what happens with errors).

Anyway to the problem. Is your database stripping of the preceding zero?, I say this because you are sending both 09 and 08 in the between statement as string (wrapped in single quotes), thus the db will be comparing:

the string "08" and the integer 8
and so on and so forth.

In other words, what's the column's data type? and what does it currently hold

__________________
mysql> SELECT * FROM `users` WHERE `users`.`clue` > 0;
Empty set (0.00 sec)