just so you know ....
you really ought to be escaping those things before they go into sql, or someone could edit the querystring to have
code:
?start=blah'; DROP DATABASE; #
(or something similar ... I can't remember the syntax exactly off the top of my head).
If they did that, it'd drop your database, which is bad.
You may be fairly safe already if your server has magic quotes turned on, and if you are aware of all the above but let it go because of magic quotes .... sorry! Just trying to help.
I'd also change the
code:
if (isset($_GET['start'])) $start = $_GET['start'];
to
code:
if (is_numeric($_GET['start'])) $start = $_GET['start'];
Anything other than numbers will cause breakage, and its more secure if you only allow numbers.