We all have to start somewhere. Just a few tips of my own and I apologize if any are repeats. Think stored procedures. That will solve the Sql injection attack problem by itself. At the very least use parameterized queries. This will solve more than just security issues. Imagine the headache of having to debug your app at 2am because somebody entered "Bob O'Malley" into a textbox? put data connections, data readers, and commands into using statements. Especially the connections. Again, you don't want to be figuring out why your server came to a screeching halt at 2am because no connections ever closed. DataSets are great, you can also use the reader to load that data into a collection of objects, close your connections, then pass the collection around anywhere you need it. I know some of this may seem advanced if you're just getting started, but remember this is where you want to be going. It's never to early to start doing it right. Oh, one more thing that I just noticed: you don't need a priming read on your datareader. This will actually cause you to throw away the first row of data. HTH. J Make the logo bigger