Barrikor

I prefer formatting everything on input so that I know everything I've got is safe. "Hëllo, WoⓇld!" goes into my database as "H[euml]llo[#44] Wo[#9415]ld[#33]" Takes more storage space but converting+whitelisting the data as soon as you get it makes life much easier.

I wouldn't really call it sanitizing until you whitelist allowed chars, and also take unicode chars into account.

I don't think it works below IE10.... also Firefox will interpret it the same as an input type=text

  OO Mysqli actually has more than one object, you just need to call num_rows from the result object instead of the db object:   $result_handle = $db_handle->query("SELECT * FROM users WHERE (username = '$username' & password = '$epassword')"); if($result_handle) { $result_handle->store_result(); // if all you're doing is getting num_rows $nr = $result_handle->num_rows; //note that num_rows will screw up until you run though every fetch or use store_result or anything that does the same. } else { //stuff for if query failed }