I said him this. But he wants to solve on this way. After publishing, I checked the fixing and I notified him again. Is as difficult to include mysql_real_escape_string, addslashes, etc? If you want security, your app mustn't depend on Magic quotes...