Input values embedded in SQL statements should be screened for inappropriate characters that can form the basis so-called SQL Injection attacks, a type of security attack that may undermine the SQL statements your PHP code executes. The built-in PHP function mysql_real_escape_string can help to replace such inappropriate strings with safe input. Refer to the IT 202 manual index for the use of this function. Note also the reference in the manual to the Mitre security threat analysis. The mysql_real_escape_string function transforms the input data it is applied to and the new data is then used for the database interaction. If the original data was not suspicious, there will be no affect; the changes only affect inappropriate input characters. Honor's students must use prepared statements.