YBH: I see you're using the mysqli extension. If you don't want to worry about malicious code, you can use prepared statements as shown here: http://www.php.net/manual/en/functio...mt-prepare.php