Hey Guys,
Complete Newbie here.. First I'm not even sure a Stored Proc or Function will do what I need to, which is avoid SQL injection attacks. I can't use the PHP excape function because the components I want to search the DB for are in fact special characters
/ " >, etc? I'm developing an App that looks up English phrases or punctuation an returns Braille symbols needed. I've been told and its been implied by what I've read that the act of passing a variable through to MySQL in a Stored Procedure will more or less prevent a SQL injection? If that's true I really need to figure out what I'm doing wrong with my syntax.

here's my SQL Querry in PHP (which works) so far; After establishing a connection
$ENG = "Put English Phrase or Punc Here";
mysql_select_db("ithelpex_test") or die(mysql_error());
$result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");

Here's what my procedure looks like:

Delimiter //
CREATE PROCEDURE eng_lookup(
IN eng VARCHAR(30)
)
BEGIN
SELECT ithelpex_test FROM br_test WHERE ENG LIKE eng
END
//
Delimiter ;

I don't know what I'm gettn wrong; I know I got to make a variable going in but do I need to use the INTO function to get the result out? My debugger is a piece of junk and needless to say I'm havn trouble findn deceint turturials online.

Thanks Guys.