[bbrewer]

I was just working on a mod for Xcart 4.6.1 and was under the impression that all the db functions do proper automatic escaping to prevent sql injection, but then I was using db_query() to insert a name with an apostrophe and it wasn't working so I looked at the function and it doesn't escape anything. So, what function should I be using to handle insert queries with automatic escaping of values? Should I not use db_query for anything anymore?