On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote: > Is the "--" here not treated as the beginning of an SQL comment? No, because it is inside the apostrophes. The purpose of mysql_real_escape_string (or using prepared statements) is to mark up (or separate) the DATA from the QUERY. The data about to be put into the database being escaped by mysql_real_escape_string is sufficient to be sure nobody is playing games with apostrophe followed by -- which could, in theory, insert an SQL comment or allow them to execute arbitrary SQL code. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php