Now on to SQL injection. SQL injection allows the user to execute a piece of SQL code on your db. Let's, for example, take this piece of SQL code. Don't ask why you would want to run this, it is a useless command, but it works for this example. Assume that the user has just filled out an HTML form that asks for username, with method post. Here it is: SELECT username FROM users WHERE username='$_POST[username]' Okay, useless and impractical, I know. It is just an example. But when someone enters a ' on the form, it closes the quotes around $_POST[username]. Then the user can enter their own command. This may help (sorry for so many links all the time, but they explain better than me): http://en.wikipedia.org/wiki/SQL_injection#Incorrect_type_handling Also, here is how to guard against it: http://php.net/manual/en/function.mysql-real-escape-string.php Sorry if this doesn't work for you. I'm no PHP expert, started earlier this year (2012). -Tony