- VALUES ('" . $_POST['salesman_name'] . "', '" .$_POST['salesman_phone'] . "', '" . $_POST['salesman_fax'] . "', '" . $_POST['salesman_email'] . "', ".
- input_num('provision').", ".input_num('break_pt').", ".input_num('provision2').")";
+ VALUES (".db_escape($_POST['salesman_name']) . ", "
+ .db_escape($_POST['salesman_phone']) . ", "
+ .db_escape($_POST['salesman_fax']) . ", "
+ .db_escape($_POST['salesman_email']) . ", ".
+ input_num('provision').", ".input_num('break_pt').", "
+ .input_num('provision2').")";