The virtual app code assumes Magic Quotes is disabled and uses mysqli_real_escape_string() directly...but my host provider has Magic Quotes enabled, so for that environment should I replace every mysqli_real_escape_string() statement with the 'escape_data()' function defined in 'mysql.inc.php'? For the IPN listener, if modified to process other fields, how would $_POST['payment_date'] be made safe to use in a query, or is it necessary for dates? Also for the IPN listener, is there a way to run the entire $_POST[] array from PayPal at once (i.e. something like 'escape_data($_POST[])', or each individual value you want to retain should be handled individually?