Tanax, in your example the password is sent in a POST request (from a form) and fed (via mysql_escape_string) directly into the query. There are a couple of problems with that SQL query. Firstly, there are no quotes around where the password will go (
... WHERE `pass` = '%s') -- unless all of your passwords are numbers, that will cause problems. Secondly, you compare the
pass column in the database directly to the string sent through the POST request. You should never, ever, store passwords exactly as they are entered into forms (in "plain text"). Wildhoney has written about
salting password hashes, as well as one soon to be released on
dynamic salting. Finally, your query would be useless in any real terms because it would return a result if
any password in the table matched what was POSTed. You must always match it against a parameter unique to each individual (user id number or similar). Oh, and you should use
sprintf to "print to a string" rather than the printf that you have there.
All that said, as far as "protecting" the actual value passed from POST that is a good start.