[snip] On 7 Aug 2007, at 10:28, Sales @ Lycosa wrote: > 1. Use regular expressions to sanitize the variables by removing dodgy > characters such as ` Regular expressions? Does PHP really lack a parameterized SQL execute function?! They have several such as http://www.php.net/mysql_real_escape_string [/snip] Sorry, I read your post too quickly. PHP does not have a generic SQL execute function though one would be easy enough to write. PHP does a good job of covering a wide range of popular database products with various functions.