Sorry for a pretty late reply to this post. While I agree with Tilly's post (using placeholders being a Good Thing) if your database is open to subjugation via sql injection, you ought to rethink a few things ...

I don't have any "professional" programming education, but it became aparent to me on my first day of playing with mySQL that you ought to do two things when you have a database table storing credit card info on the web (or anything else that sensitive):

• Acesses that table with a mySQL user that ONLY has write access permission. You can even set up a 2nd db that has NO user with read permissions (no user that submits a web form). Also, I generally assume you would not chose to name the table of CC numbers something obvious like table_creditcards.
• Encrypt the CC data in the table

I would imagine, even if you don't understand the idea of placeholders, or preventing a sql injection attack, this ought to stop many potential problems.

BTW, if I'm completely wrong, and these steps accomplish nothing, tell me. :-)

- theAcolyte