Hi, Protect your database http://www.php.net/manual/en/function.htmlspecialchars.php
PHP Security Consortium http://phpsec.org/ Protect SQL Injection Attack See more http://www.php.net/manual/en/function.mysql-real-escape-string.php ---------------------------------------- <?php // Query database to check if there are any matching users $query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'"; mysql_query($query); // We didn't check $_POST['password'], it could be anything the user wanted! For example: $_POST['username'] = 'aidan'; $_POST['password'] = "' OR ''='"; // This means the query sent to MySQL would be: echo $query; ?> The query sent to MySQL: SELECT * FROM users WHERE user='aidan' AND password='' OR ''='' ----------------------------------------- Regards, Dinçer Akay -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]