Been taking in what you guys have said with great interest. Question - If I went through each string before using it as a parameter to search for quotes and either refussed to run the sql statement or deleted the quotes first - would that solve the majority of sql injection attacks? Jas