rwhite35

@mac_gyver, nice catch. I wasn't thinking mysqli! I've had inconsistent results when using a foreach loop to build the bindValue for $stmt objects. Specifically with OS X 10.10. Using the incrementor rather than foreach has solved the issue. Have you come across that situation before? Thanks,

I use a similar algorithm but only with authenticated users (like an admin) and never with public facing pages... NEVER TRUST un-authenticated input. That said, here is how I programmatically create the binder for the placeholders. try { $stmt = $DB->prepare($query); if ($bind!=null) { $cnt = count($bind); if ($cnt>1) { //mulitple binders $t=1; for($i=0;$i<$cnt;$i++) { $stmt->bindParam($t,$bind[$i]); $t++; } } else { //single binder $stmt->bindParam(1,$bind); } } if($stmt->execute()) { while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) { $this->result[] = $row; } return $this->result; } else { throw new Exception("L63: Error on dbmanage::query execution."); } } catch ( Exception $e ) { error_log("Error on query method: ".$e->getMessage()); } This line here $stmt->bindParam($t,$bind[$i]); is taking the bind array and applying a number placeholder to the binding, in affect it would be the same as typing $stmt->bindParam(1,$bind[0]); $stmt->bindParam(2,$bind[1]); $stmt->bindParam(3,$bind[2]); Where $bind is an array of your form input. Also, make sure you sanitize everything. Good luck