can anyone foresee a problem with code (other than if JS is not enabled, which there is a script that won't allow the page to be seen if it is not enabled)

function addCost(){
document.getElementById('hidden').innerHTML = "<input type='hidden' name='my_hidden_input' value='<?php callFunction('add_ons','addon_cost', 'addonid', 3); ?>' />";
}

<label><input type="radio" name="design" onclick="showDiv('upload');addCost();" value="<? getCost('add_ons','addon_name', 'addonid', 3); ?>" /><?php getLabel('add_ons','addon_name','addonid', 3, 'addon_cost');?></label>

I'm using JS to write HTML that calls a php function so when a radio button is selected it pulls the price from one table in a database and stores it in a variable to post to another table at a later time.

It works fine and post to a database perfectly. I was just wondering if I am not thinking of a problem this may cause down the road. Any security issues I may be overlooking?

any security issues would also relate to how well you validate any input data to your sql queries before running the queries in your daitabase.

For example, when validating usernames and passwords (which do not apply in your situation), characters I do not allow include sem-colons, single or double quotes which can be used to facilitate sql injection.

Also, if you don't already, maybe use mysql_real_escape_string() (http://php.net/manual/en/function.mysql-real-escape-string.php) to "sanitise" your sql input data, to quote a learned poster in these forums.

thanks Tirna, I like hearing how other people write code. There is more than one way to do anything and getting several different perspectives help me improve my code. None of my friends know how to write code so this is my only way to get other perspectives. So I appreciate all input.