Thanks Colin. Think I will do both. I can timeout the session with PHP. Does adding mysql_real_escape_string make this secure to injection or should I be doing something else? if ($_POST['submitted']){ $username = mysql_real_escape_string( $_POST['username'] ); $pass = mysql_real_escape_string( $_POST['pass'); $username = md5($username); $pass = md5($pass); $query = "SELECT username, pass FROM login where username='$username' AND pass ='$pass'"; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php