I have a huge website with many form entries and url variables. I just realized that anybody can come along and insert sql code into my variables and have it executed. What is the quickest and easiest way I fix this? Is doing a replace() on ' the only way? Thanks, Josh