Thanks to everyone for their help. I did use a regex to check user input, but place holder's are definitely a good idea. I have my own mod_security rules for SQL injection attacks, however, I will be sure to read Ovid's tutorial, use the DBI quoting facility, and use qq from this point forward. I didn't expect my request to generate so much discussion. Thank you for all the insight, I have much to learn.