Thanks, lots of really useful advice there
I've got it working now, I was making some minor errors. I'm using PDO on the server side, so the solution to protecting against injects appears to be the bindparam instruction. I was confused about the very basics of how to send my username as part of the post in C2, but I think it's simply...
UserName=&Textbox.Text (build as a string then send in the 'data' part of the AJAX Post to URl).
Then at my server side, I now have....
// Already connected to database....
$UserName = trim($_POST['UserName']);
echo $UserName; // Obviously this is just for testing, it's picked up by C2 as the AJAX.Lastdata
$db->beginTransaction();
try {
$query = $db->prepare("INSERT INTO Users
(Name)
VALUES (:Name)");
$Name = $UserName;
$query->bindParam(':Name', $Name, PDO::PARAM_STR);
$query->execute();
$db->commit();
Not sure if this is all a bit over-cautious, but it does work. From what I've read, the whole 'bindparam' procedure does protect from injects etc anyway.
One thing that was causing me problems was the strict capitalization rules. For example, 'Username' and 'UserName' are not the same, so that sent me wrong a few times
Thanks again for your input, that really helped