[snip] 1. Anytime you put anything into a dB then use mysql_real_escape_string() function. If you are NOT going to put it in a dB, then you don't need mysql_real_escape_string() function -- understand? [/snip] Untrue... It isn't just inserting into a DB that requires this function... Consider: User enters: anything'; DROP TABLE x; SELECT 'a' = 'a into the form for username... Now your unescaped SQL statement reads: UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x; SELECT 'a' = 'a' Where x can be a brute-forced table name... I can't remember if MySQL allows multiple statements but I seem to remember hearing that MySQL5 does... If I'm wrong correct me and tell me to RTFM :) Nice catch on the error... I didn't notice that :) HTH (and that I'm right :) ) Dan -- http://chrome.me.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
