Hi Ray, I recently built a new section on an existing site using SA/mySQLi server behaviors. The client has had a penetration test done and it's come back showing a high impact/high probability of SQL injection which I need to fix urgently. However reading the material on the link above, although I think I understand how it can happen, I'm not sure how to fix it - and particularly if, as you say, the mySQLi server behaviors use prepared statements anyway! Would it be the login page I would need to update? I've attached a copy for info.