I setup a page so I can practice SQL injections to get an idea of how they work, but in my page they don't work at all. My queries are like this "SELECT fields FROM table WHERE field1 = '$value' " and lets say this query is hooked up to a URL variable, if I type in ?urlvar='; SHOW TABLES; or something like that, it just escapes the ' and nothing happens. Do SQL injections only work if the inputs aren't wrapped in quotes? As in SELECT fields FROM table WHERE field1 = $value.