DB Injection - ? placeholder, prepare/execute, mysql_real_escape_string Shell Injection - escapeshellarg ]]> Or use ? parameters in PEAR::DB and PDO. PDO also supports named parameters. prepare($sql); $prep->execute(array(':calories' => 150, ':colour' => 'red')); $red = $prep->fetchAll(); $prep->execute(array(':calories' => 175, ':colour' => 'yellow')); $yellow = $prep->fetchAll(); ?>]]> &1"); ?>]]>