A few notes about your code:
First... please don't use mysql_query anymore. Use mysqli_query or PDO. In newer PHP versions mysql_xxx is deprecated and you should use the alternative.
Second... your code is very susceptible to attack. When you use a POST or GET variable you should check if it does not contain harmful code. If your MAX_ID
could only be a number i would suggest the following (note the intval
-part):
$maxId = 0;
if (isset($_POST['MAX_ID'])) $maxId = intval($_POST['MAX_ID']);
It also checks if MAX_ID is not set (if so your $max_id is 0) and $maxId could only result in a number.
And last... because with above $maxId could only result in a number you don't need the mysql_real_escape_string. So this would be enough:
$sql = "SELECT * FROM News where Nid > ".$maxId;
(please note the warning at the top of the manual of this function about mysql_xxx being deprecated).