aneeshrp

You have to escape string when you assign the query to $aStatement. Normally in php apps, the data part for the query will be taken from $_GET or $_POST. It is always advised to escape string before executing it in DB. Alternatively you can make use of php's array map function at the start of your code to escape string. $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST);

http://php.net says however you could try the following this 1. use "" in form's action attribute, From my understanding leaving the action blank (action=”") is not proper and still open to XSS attacks. or use __FILE__ constant with basename() <form method="post" name="helloworld" action="<?php echo basename( __FILE__ );?>"> <input type="submit" name="submit" value="Submit" /> </form>