Not too sure about a Xisto account, however you can just use 'mysql_real_escape_string($myinput)' and that would protect you against SQL injections, you see you have to understand by query a database with text (numeric data obviously is not subjected to this), mysql appreciates everything as a command, like SELECT, FROM AND WHERE are all commands.
This allows the user if no SQL injection protection has been used to issue commands that could read from another database, by using mysql_real_escape_string() or prepare in PDO this sends in the requests as pure text and it's left entirely up to your SQL to actually perform the query, thus eliminating the potential for them to either read from another table, database, or even worse dropping a table or database even (if your privileges are not secure, when using the test database myself, I setup accounts that are only allowed to see certain tables, always think beyond the obvious is my key).
A query can be any type of syntax, like an actual query where you're trying to find the value of something, creating a database, these are all technically in Database logic queries.
Jez got a reaction from mamer in Php Simple Login Tutorial Learn how to make a simple login