> > But unlike Vlad's version, that's vulnerable to SQL injection attacks. This particular statement actually isn't vulnerable because it's entirely generated by the programmer. In a "real" example, though, you should be careful to escape all your strings :) Best, Yariv