Thanks Andrew. I would never have thought to check the data, I was only checking for empty fields that are required. And I will use htmlentities. Nan -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Andrew Kamm Sent: Friday, August 03, 2007 3:51 PM To: thelist at lists.evolt.org Subject: Re: [thelist] Keeping PHP forms secure > Is this enough to keep the database safe from attack? It seems like > there should more to this but I have googled and didn't find anything. For the most part, but you may also want run a 'sanity check' on individual fields to make sure they're appropriate and that someone isn't trying to manipulate your application while trolling for holes. If you're getting a paragraph of text when the field requires only an integer, there's something wrong. You also want to protect your app when you display user-entered data by using htmlentities() (to prevent XSS attacks). ak -- * * Please support the community that supports you. * * http://evolt.org/help_support_evolt/ For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !