Jason Pruim <japruim@xxxxxxxxxx> wrote: Hi Everyone, I think I have found away to prevent SQL code injection into my database and just wanted to get everyones comments on my method. Am I correct in thinking that I'm fairly safe from the bad people and the stupid users? You need to consider someone entering scripts that could do bad things when the data is sent to a web site. You use the function htmlspecialchars() for this (or one of its siblings). You should also use mysql_real_eascape_string() on any data being inserted into your database. But you must deal with magic quotes first. If they are enabled, I remove them from my posted variables as the first step. Cheers Stephen
