<snip> > The idea is exactly not to do any queries dynamically generated based > on user input! In the rare cases where this is needed you should not > allow any unparsed input. </snip>
A RARE case, in the world of web applications??? Hardly!!!!! I agree that in an optimal situation queries will not be based on user input, but in the world of the web this is a pipe dream. In 99.99% of the cases there will be some dynamic element to a query. The only safeguard is to validate the hell out of the data. P. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php