Our development team has told me that we don't need to validate user input in our application because the values are all passed to prepared statements. Because of this, SQL injection cannot occur. I only work with PHP, where I validate everything. Thoughts? ---------- Randal Rust Covansys Corporation Columbus, OH Confidentiality Statement: This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, please note that you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by return email.