Vahan Amirbekyan schrieb: > prepared statements are immune to SQL injection. What makes you think this is so? You can still add input to the query. eg "SELECT foo FROM bar WHERE x = {$_GET[arg]} AND y = ?" Masi