I can't comment on the SQL, but the basic princiles of web input is DON'T TRUST USER INPUT. What you need to do is filter the input so that you let through only values you want to let through, rather than filtering out values you don't want.

See also:

• Security?
• Ovid's CGI Course: CGI Security
• davorg's CGI Notes: CGI Security - *new link
• Perl Training Australia: Perl CGI (PDF) Chapter six

*Added extra link.

--
ajt