Couldn't agree more. Have yourself a read over this article, and then construct yourself a safe MySQL parse value function to take into consideration the annoyance of GPC, and then add slashes and throw the values through mysql_real_escape_string().

__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.