I'm having real trouble with quote_smart() from php. I need to know how to include a "quote_smart"ed variable into a sql prepared statment. Quote_Smart() puts single quotes around all string vars and my db has matching values and appropriate single quotes around the values. I am getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'mikec@xyz.com''' at line 1" the way i have it seems to have an extra single quote at the end but i cant tell where its coming from can someone help? <?php session_start(); require_once 'config.php'; function connect_db() { $this->db_connection = mysql_connect(SERVER_NAME, DB_USER, DB_PASSWORD) or die ('Unable to connect to Database!'); mysql_select_db(DB_NAME); } function quote_smart($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } connect_db(); //connects to db fine $legal = "mikec@xyz.com"; // pre quote_smart $legal = quote_smart($legal); // post quote_smart $query = "SELECT * FROM users WHERE email = '$legal'"; $user = mysql_query($query) or die(mysql_error()); $numFound = mysql_num_rows($user); echo $numFound; $x = mysql_result($user,0,"email"); $y = mysql_result($user,0,"pass"); echo '<br> user-> '. $x; echo '<br> pass-> '. $y; ?> Its a login script that im using as part of a base application class, but this is easier to read. Does anyone have an example of anything theyve done using quotesmart or just tell me the standard/preferred way of using it to prevent sql injection? I'm at a loss here. Thanks Mike