prepare() to escape and quote the contents of variables. This prevents SQL injection. Use placeholders for all variables used in the query. You should not use variable interpolation or concatenation. ]]> prepare( 'SELECT * from table WHERE field = %s', $_GET['foo'] ); ]]> query( "SELECT * from table WHERE field = {$_GET['foo']}" ); ]]> prepare( 'SELECT * from table WHERE field = %s', $value ); ]]> get_results( "SELECT * from table WHERE field = " . $value ); ]]>