The wise Geoff Cox enlightened me with:
>
> I have perhaps over simplified above - in fact only in one case is the
> user asked to type in data - in the other cases it's a matter of
> clicking on one of two images to give a response.

And what if the user crafts his own http response? You don't check the
data he is giving you, so you might be in trouble. sprintf's and/or
mysql_escape_string is your friend.

Mark
--
Terantula - Industrial Strength Open Source - http://www.terantula.com/
Projects and administration - +31 6 5140 5160