See http://www.oscommerce.com/community/bugs,4301/category,Database+(General) It seemed like a full blown SQL Injection risk at first but when I got in to hacking a preliminary fix it turned out to be less scary. Still ugly though, giving away more info that you want to present to script kiddies and real hackers. Fix there avoids the dirty SQL error.