On 15/05/15 06:21, Karl DeSaulniers wrote: > Oh ok. Now it makes a little more sense. > I have worked in ASP before, but I am programming in PHP and MySQL at the moment. > > I am going to look into Prepared Statements. Thanks for your feedback. Just to clarify things a little here and explain http://php.net/manual/en/pdo.prepared-statements.php a little more ... Many of the legacy injection problems where/are caused by building up the query as a fully self contained string. Various methods like 'magic_quotes' and wrapping $var in things like makesafe($var) were the only way some database engines could handle adding variables to the SQL string and much code still follows that style even today. Other database engines have always had the ability to pass the variables as a separate array of data, and the @x is more normally seen as a simple ? in the SQL string, so PDO and other frameworks map the ':var' elements of the first example to the relevant style used by the database. Actually naming parameters is not the norm, so one has to have the right number of '?' elements to go with the array of data passed, so PDO is adding a layer of code which hides the underlying execute(sql_query, array_of_data); -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php