Yes, prepared statements protect from SQL injection because the "data" is clearly separated from the SQL code, and MySQL knows what to do with "data" The rest of your code has absolutely NOTHING to do with SQL injection, but with data validation and business logic. On Thu, May 24, 2007 11:10 am, Jason Pruim wrote: > I think I have found away to prevent SQL code injection into my > database and just wanted to get everyones comments on my method. > //Create the statement > $stmt = mysqli_prepare($link, "INSERT INTO current VALUES > (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)"); > mysqli_stmt_bind_param($stmt, 'sssssssssssssss', $FName, $LName, > $Add1, $Add2, $City, $State, $Zip, $Date, $Record, $subName, > $subEmail, $subPhone, $chkMember, $chkAdd, $chkDel); > //Add the record > mysqli_stmt_execute($stmt); -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php