What he is saying is that your PHP script has a huge SQL Injection Security hole in it. All Variables needed to be entered into a database that come (or dont) from user based input should at the very minimum have the function mysql_real_escape_string enclosed around it.

Unless you want someone to easily drop all the tables in your database. :shrug:

PHP: mysql_real_escape_string - Manual

__________________
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.