Using your approach, a user doing a search for an employee named Maureen O'Hara would never find a match. Your page would issue a search for Maureen OHara and not find a match. A simple replace function will not understand the difference between syntax punctuation and data punctuation inside a quoted string. You'll need a smarter custom parsing function for that. I don't think that's what you are aiming for. You're concerned that your page, along with a sneaky user, would issue a statement like this: select * from some_table where 1 = 1; delete some_other_table; And somehow, both statements would get issued? Depends on the back-end code, but doesn't seem too likely. You could test for it to make sure. Or: select aa,bb from some_table where 1 = 1 union all select id, password from some_userpassword_table; This one would be more likely. Making sure a union isn't in the statement would prevent that. Of course, it would also prevent legitimate uses of a union (assuming that there are any). Hope this helps. -- //www.freelists.org/webpage/oracle-l