That's what escapeshellcmd() is for - never ever trust user data. At minimum, I would always use addslashes() or the new mysql_real_escape_string() around every bit of user data if it's touching the db. At minimum, and in lieu of data validation that is really checking what the user entered (alpha plus spaces, hyphen, period, apostrophe only) I would do this: $query = "Insert into members (name) values ('".addslashes($_POST['name'])."')"; -----Original Message----- From: Ed Lazor [mailto:Ed.Lazor@xxxxxxxxxxx] Sent: Mon 8/16/2004 10:06 AM To: 'Torsten Roehr'; php-db@xxxxxxxxxxxxx Cc: Subject: RE: Re: Basic MySQL Query Question Is it just me or is this a very bad thing from a security standpoint? It seems to me that user input should always be filtered before use. Otherwise there's nothing stopping a hacker from embedding sql into the value of the name variable. > -----Original Message----- > Insert into members (name) values ($_POST['name']);