Have you looked at server-side regular expressions? I'm not familiar with PHP, but this might help (it's for ASP): http://dynamic.15seconds.com/Issue/page.asp?Page_Id=306 Bart >>> ppxsjc1 at unix.ccc.nottingham.ac.uk 04/19/01 11:52AM >>> > http://www.webreview.com/2001/04_13/developers/index02.shtml That's a good article, but it did leave me with one question: I can understand how you can validate some fields to prevent malicious attacks (such as checking IDs are integers), but what do you do about text fields? At present I use sql like this in my PHP/MySQL applications: INSERT INTO TableName (name,email,comment) VALUES ('$name','$email','$comment') I thought that since single quotes are escaped by PHP magic quotes it would be impossible to "break into" my sql syntax with a comment like: $comment = "my nasty comment)' DROP TableName" which *should* result in a harmless sql syntax of: INSERT INTO TableName (name,email,comment) VALUES ('name','email','my nasty comment)\' DROP TableName') Am I missing something here? Any other security tips/urls? Simon --------------------------------------- For unsubscribe and other options, including the Tip Harvester and archive of TheList go to: http://lists.evolt.org Workers of the Web, evolt !