On 03/24/2016 07:57 AM, Always Learning wrote: > I should have imposed strict controls on the length of > parameters passed to programmes via web pages $_GET[] such as... > and reject any incoming string containing ' or " in addition to PHP's > strip_tags and (deprecated in later versions) > mysql_real_escape_string($_GET['....'],$link); No. No. Nooooooooo. You're missing the point that everyone is trying to communicate to you. Do not use string concatenation. Do not use sprintf. Do not use mysql_real_escape_string(). Use prepared statements. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php