Just wondering how much security is built into php.

Like when you are doing an insert to the mysql database, say you INSERT INTO X (var,var2,var3) VALUES (x,y,$Z)

what if there's a comman in $Z? I guess that would cause the command to fail? How about:

INSERT INTO X (var,var2,var3) VALUES (x,y,"$Z")

or do you need to embed $Z in htmlspecialcharacters?

I always use the following syntax in queries:

INSERT INTO whatever SET whatever='$var', test='$var2';

So variables are enclosed in single quotes - this would work with the syntax you're using as well.

Besides the visual aid of having the field name and value next to each other, why is that format superior to this:
$query = "INSERT INTO X (var,var2,var3) VALUES ('$var', '$var2', '$var3')";

Yup, I like that visual aid, I thought that was only valid for updates to records but not for creating records. Yes, I like that much better, I wish all of vB was done that way.

Cool, now I can tell what code came from you James ;)

I noticed that sytax somewhere just yesterday and said, whoa, what's that about? :)