Hi!
I'm +1 for sanitizing all output depending on whether HTML is allowed or not. However I admit I haven't looked at the current code for ages. :(
You can not do any sanitizing on data inserted to MySQL - field values, SQL commands etc. ... And that's most of data we handle ;-).
I was speaking of the output of strings, not the "input". When we display the SQL commands to the user, we should be able to apply htmlspecialchars, right?! [In this case I think we're doing it allready, but how I understood Marc, he wanted to make sure that we always do that] Regards, Garvin -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org ++ Make me happy | http://wishes.garv.in