I have been reading (as per the suggestion of someone on this wonderful board) about injection attack and using the my sql real escape string, but I have a question.

Do you only need to use this when you are using SELECT * FROM? Or also when you are inserting into the database?

The only time I am using SELECT * FROM is searching for an id# so I could my_sql_real_escape the $id variable. But do I need to escape all of the other variables I put INTO my table?

the better approach is to use bind parameters (see the mysqli implementation). and you should use it whenever you access data and manipulate data.

So you're saying I don't need to use anything if I am just inserting data? Is it ok to insert characters like ' ?

that sounds like the opposite of what i'm saying. you should always escape data somehow.

Yup...figured it out when my testing gave me all sorts of errors!

Thanks.